[NEWS] Tripod Account Hijack
From: support@securiteam.comDate: 02/22/02
- Previous message: support@securiteam.com: "[NT] ASP.NET Session Information Leakage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 22 Feb 2002 23:00:03 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Tripod Account Hijack
------------------------------------------------------------------------
SUMMARY
<http://www.tripod.lycos.com> Tripod are one of the worlds largest
homepage providers to home users with many millions of subscribers. A
security vulnerability in their web site allows attackers to gain access
to any account they desire.
DETAILS
By manipulating a URL string, it is possible to bypass authentication
checks and fully administer a victim's homepage:
http://www.tripod.lycos.com/bin/membership/activate?member_name=USERNAMEHERE
&redirect=/build/welcome/build.html
Replacing "USERNAMEHERE" with the victim's account name.
From the page you are redirected to, it is possible to take advantage of
all the administrative functions available to the tripod members' account
you have hijacked.
Implications:
Given the severity of the hole and ease of exploitation, it would be
possible for mass defacements of home users' web pages, and the possible
extraction of private data from files stored in their web space, cgi, etc.
It is not farfetched to suggest that a script could been manufactured to
mass delete/deface all tripod homepages, by spidering the tripod directory
and systematically hijacking the accounts before using the web based file
administration tool tripod offer.
Vendor status:
Lycos, the parent company of Tripod were notified 19/02/02 and repaired
their authentication systems the same day.
Their rapid response to this issue was exemplary and their comments were
as follows:
> After verifying your report, Tripod Engineering blocked the exploit at
> 7:50pm on 2/19 and a full fix was released at 11:20am this morning.
>
> There are two clarifications I would like to suggest for your advisory.
> First, I'd like to point out that only the U.S. Tripod was vulnerable to
> this exploit. Secondly, member email was not exposed through this
exploit.
> Regards,
>
> - Don
(Response by: Don M. Kosak, Sr. Director of Engineering, Portal
Services,TerraLycos).
ADDITIONAL INFORMATION
The information has been provided by <mailto:labrat@interrorem.com> Russ
Spooner.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] ASP.NET Session Information Leakage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
