[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1092158585.13286.64.camel@forge.intermeta.de>
Date: Tue, 10 Aug 2004 19:23:05 +0200
From: Henning Schmiedehausen <hps@...ermeta.de>
To: BUGTRAQ@...URITYFOCUS.COM
Subject: spamcop.net allows everyone to grab mail addresses and reset
passwords
Hi,
spamcop.net is service for tracking Spammers. It offers free and paid
subscription services and ISP people responsible for various mail
domains can register with spamcop to be informed when spam is
originating from a local mail address.
The spamcop.net service offers an account management page on their
web site where you can reset the password. This page is reached via
http://www.spamcop.net/w3m?action=ispaccountform&ispid=<xxx>
where <xxx> is a random number between 1 and roughly 1.6 million. This
number determines which account is selected. After doing so, everyone
can reset the password and the account mail address is displayed.
Impact: 1) Everyone can reset any spamcop password for a subscribed
user. While the user gets his new password mailed, these mails
might be simply ignored (especially in these phishing days
where everyone gets a zillion passwords mailed each day.
This allows a large DoS against spamcop and its user base.
2) By writing a simple loop, a spammer can pull all the
registered (and probably read) mail addresses from spamcop.net,
turning spamcop into a large "valid addresses for free" site.
Spamcop.net has been informed (info@...mcop.net, abuse@...mcop.net,
postmaster@...mcomp.net) on Jul 27th. No reaction yet.
Regards
Henning
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH
hps@...ermeta.de +49 9131 50 654 0 http://www.intermeta.de/
RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire
Linux, Java, perl, Solaris -- Consulting, Training, Development
"Fighting for one's political stand is an honorable action, but re-
fusing to acknowledge that there might be weaknesses in one's
position - in order to identify them so that they can be remedied -
is a large enough problem with the Open Source movement that it
deserves to be on this list of the top five problems."
--Michelle Levesque, "Fundamental Issues with
Open Source Software Development"
Powered by blists - more mailing lists