lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 10 Aug 2004 19:23:05 +0200
From: Henning Schmiedehausen <hps@...ermeta.de>
To: BUGTRAQ@...URITYFOCUS.COM
Subject: spamcop.net allows everyone to grab mail addresses and reset
	passwords


Hi,

spamcop.net is service for tracking Spammers. It offers free and paid
subscription services and ISP people responsible for various mail
domains can register with spamcop to be informed when spam is
originating from a local mail address.

The spamcop.net service offers an account management page on their
web site where you can reset the password. This page is reached via

http://www.spamcop.net/w3m?action=ispaccountform&ispid=<xxx>

where <xxx> is a random number between 1 and roughly 1.6 million. This
number determines which account is selected. After doing so, everyone
can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed
        user. While the user gets his new password mailed, these mails
        might be simply ignored (especially in these phishing days
        where everyone gets a zillion passwords mailed each day.

        This allows a large DoS against spamcop and its user base.

        2) By writing a simple loop, a spammer can pull all the
        registered (and probably read) mail addresses from spamcop.net,
        turning spamcop into a large "valid addresses for free" site.

Spamcop.net has been informed (info@...mcop.net, abuse@...mcop.net,
postmaster@...mcomp.net) on Jul 27th. No reaction yet. 

	Regards
		Henning


-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@...ermeta.de        +49 9131 50 654 0   http://www.intermeta.de/
 
RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

"Fighting for one's political stand is an honorable action, but re-
 fusing to acknowledge that there might be weaknesses in one's
 position - in order to identify them so that they can be remedied -
 is a large enough problem with the Open Source movement that it
 deserves to be on this list of the top five problems."
                       --Michelle Levesque, "Fundamental Issues with
                                    Open Source Software Development"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ