lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1063406685.3327.47.camel@tantor.nuclearelephant.com>
From: jonathan at nuclearelephant.com (Jonathan A. Zdziarski)
Subject: VSNL POP Webmail Referer Vulnerability

About VSNL POP:
VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service.
VSNL is a provider of IP - VPN solutions in both India and the United States with
over 1GB of Internet Bandwidth capacity who provide public webmail services on a subscription basis.

Vulnerability:
While glancing at my personal website visitors using WebPulse (a tool
bundled with WebConference LiveHelp for monitoring website visitors in
real time), I clicked on the referer for one user imparticular to see
who was linking to my site.  To my shock and dismay, I was logged right
into the user's web-based mailbox and had access to their address book,
inbox, etcetera.  

It appears that VSNL mail does not have any type of session-cookie
authentication as most webmail clients do, but rather stores the session
id in the URL.  The result is an open hole enabling anyone to log into
the user's mailbox as long as the user is still logged in, provided they
have this information.

The obvious attack is anyone who is able to obtain the session id of the
victim from an HTTP_REFERER.  This information is divulged whenever a
user clicks on a link from within their webmail.  

Due to another vulnerability (the fact that the session id is only six
digits) One could theoretically also launch a brute force session id
attack on the URL in an attempt to gain access to any open
accounts...but may at least have to match the username.

Workaround:
If you are a VSNL POP webmail user, do not click on any web links
directly, but copy/paste them into your browser.  Whenever you are
logged in, also remember that you are subject to a potential brute force
attack until VSNL repairs this problem.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ