Type packetstorm
Reporter Efrain Torres
Modified 2000-02-01T00:00:00


                                            `[LoWNOISE Colombia 2000]  
+---[RightFax Web Client v5.2: Hijack user's sessions]  
Using your web browser When you click to log on to the rightfax server,  
it opens a new window. In that window you are asked for a username  
and password. The Toolbar on the browser is hidden, but if you open  
the location toolbar (Netscape: view/show/location toolbar) you will  
see something like this:  
c=urol2zi29uncz0 <-- This is a session number  
If you make some conections you will have:  
[round 1]  
c=ur o l 2 zi29u n c z0  
c=ur q 2 1 zi29u n t z0  
c=ur r i 0 zi29u p 3 z0  
c=ur s x y zi29u p k z0  
c=ur u e x zi29u q 6 z0  
c=ur v u w zi29u q q z0  
c=ur x b v zi29u r 8 z0  
c=ur y r u zi29u r p z0  
c=us 1 8 t zi29u s 7 z0  
c=us 2 o s zi29u s q z0  
c=us 4 5 r zi29u t 5 z0  
c=us 5 l q zi29u t k z0  
c=us 7 2 p zi29u u 1 z0  
c=us 8 i o zi29u u f z0  
c=us 9 y n zi29u u x z0  
c=us b f m zi29u w c z0  
[round 2]  
c=us b f m zi29v 4 j z0  
c=us c v l zi29v 4 x z0  
c=us e c k zi29v 5 b z0  
c=us f s j zi29v 5 p z0  
c=us h 9 i zi29v 6 3 z0  
c=us i p h zi29v 6 h z0  
c=us k 6 g zi29v 6 y z0  
c=us l m f zi29v 7 f z0  
c=us n 3 e zi29v 7 r z0  
c=us o j d zi29v 8 7 z0  
c=us q 0 c zi29v 8 q z0  
c=us r g b zi29v 9 4 z0  
c=us s w a zi29v 9 o z0  
[round 3]  
c=ur l o 4 zi29v a 5 z0  
c=ur n 5 3 zi29v a k z0  
c=ur o l 2 zi29v b 6 z0  
c=ur q 2 1 zi29v b k z0  
c=ur s x y zi29v b x z0  
c=ur u e x zi29v c c z0  
c=ur v u w zi29v c r z0  
c=ur x b v zi29v d 8 z0  
c=ur y r u zi29v d y z0  
xxxx a r b xxxxx d r xx  
x = the same for all the round  
a = a-z,0-9  
r = (the next letter from the previous round)  
b = 9-0,z-a  
d = double (aa-zz,00-99)  
THATS NO RANDOM. So you can guess other users session numbers.  
So Unhide the location toolbar and make this URL:  
+---[THE END]  
Efrain 'ET' Torres  
[LoWNOISE] Colombia 2000  
No human rights reserved@, narco-guerrilla.gov.co sucks.