Date: Tue, 25 Aug 1998 15:39:11 -0700
From: "Leonid S. Knyshov" <[email protected]>
To: [email protected]Subject: Webmail.bellsouth.net security problems
Dear Bugtraq readers and security at Bellsouth
Upon examining my log files, I came across an interesting fact.
Background:
As part of my Internet marketing efforts, I read web log files daily to
see if anything interesting comes up.
Just today I was reading my logs this way: grep welcome.html access.log
And among others there was this entry:
*.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20
0 4427
"http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W
ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn
-43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn="
"Moz
illa/3.02Gold (WinNT; I)"
Naturally that sparked my interest, so I went to that exact same URL. I
was greeted with a message that 2 hours passed and I am logged off, but
that's not a good thing.
Concerns:
Bellsouth.net webmail customers accounts may be easily abused
Investigation:
Just created an account to check out features,
POP3 access without additional authentication I presume
Oh my God... There is a tab "Personal Info" *gasp*...
Address, phone number, place of work, etc.
Obviously this is unacceptable. Incredibly easy to bypass security.
One attack would be:
to: [email protected]
subject: check out my site!
Hey buddy, check out my site! http://www.crashproofpc.com
If they click they send me their UNLOCKED mailibox location via
HTTP_REFERER, and if I have access to log files, I can easily get into
that account and cause a great deal of trouble. I won't go into any
further details :)
--
Leonid S. Knyshov
Information Technology Consultant
Crashproof Solutions - "Keeping true to our name!"
http://www.crashproofpc.com
