[vchkpw] Fwd: PCL-0002: Session Hijacking in Sqwebmail
For those that use SqWebMail...this came across BugTraq. Date: Tue, 18 Nov 2003 02:18:04 +0100 (CET) From: Vincenzo Ciaglia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PCL-0002: Session Hijacking in Sqwebmail --- PUCCIOLAB.ORG - ADVISORIES http://www.pucciolab.org --- PCL-0002: Session Hijacking in Sqwebmail --- PuCCiOLAB.ORG Security Advisories[EMAIL PROTECTED] http://www.pucciolab.org Vincenzo Ciaglia November 18th, 2003 --- Package: Sqwebmail Vendor : Inter7 Vulnerability : access to private account without login, session hijacking Problem-Type : remote risk : low Version: All the version seems to be affected. Official Site : http://www.inter7.com/sqwebmail/sqwebmail.html N Advisories : 0002 *** About Sqwebmail *** SqWebMail is a web CGI client for sending and receiving E-mail using Maildir mailboxes. SqWebMail DOES NOT support traditional Mailbox files, only Maildirs. This is the same webmail server that's included in the Courier mail server, but packaged independently. If you already have Courier installed, you do not need to download this version. *** Proof of concepts An attacker could send an email to a victim who used SQWEBMAIL, to get the victim to visit a website, which then logs all available information about the victim's system. Example: --- MY STAT FOR MY WEBSITE - REFERENT DOMAIN http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trashform=folders In this example, the victim has visualized our website reading the mail that we have sent to him. Visiting the link is been marked from our counter. Now we will be able to access to the victim's mail page admin and will be able to read and to send, calmly, its email without make login. The session comes sluice after approximately 20/30 minutes and the attacker has the time to make its comfortable ones. * What could make a attacker? * Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of your website. The consequences would be catastrophic. * What I can do ? * Actually seems that there isn't a patch for this problem. * Suggestion to SQWEBMAIL * It would have to reduce the time for the closing of the sessions. Greet, Vincenzo Ciaglia [EMAIL PROTECTED]
Re: [vchkpw] Fwd: PCL-0002: Session Hijacking in Sqwebmail
Anthony Baratta wrote: For those that use SqWebMail...this came across BugTraq. * What could make a attacker? * Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of your website. The consequences would be catastrophic. * What I can do ? * Actually seems that there isn't a patch for this problem. * Suggestion to SQWEBMAIL * It would have to reduce the time for the closing of the sessions. Well, either that, or use cookies, and drop it totally. Or use the session ID as used now, but check the IP for a returning visitor that does not have a cookie set. Thus now they cannot do this anymore. X-Istence
Re: [vchkpw] Fwd: PCL-0002: Session Hijacking in Sqwebmail
i realize the author isn't a native english speaker, but this is ridiculous, to wit: Package : Sqwebmail Vendor : Inter7 Vulnerability : access to private account without login, session hijacking Problem-Type : remote risk : low ^ risk: low Version: All the version seems to be affected. Official Site : http://www.inter7.com/sqwebmail/sqwebmail.html N Advisories : 0002 Example: --- MY STAT FOR MY WEBSITE - REFERENT DOMAIN http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trashform=folders page not found. how helpful! Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of your website. The consequences would be catastrophic. consequences...catastrophic make up your mind, dude. is low or catastrophic? Paul Theodoropoulos http://www.anastrophe.com
Re: [vchkpw] Fwd: PCL-0002: Session Hijacking in Sqwebmail
On Mon, 17 Nov 2003 11:14:24 -0800 Anthony Baratta [EMAIL PROTECTED] wrote: For those that use SqWebMail...this came across BugTraq. Date: Tue, 18 Nov 2003 02:18:04 +0100 (CET) From: Vincenzo Ciaglia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PCL-0002: Session Hijacking in Sqwebmail --- PUCCIOLAB.ORG - ADVISORIES http://www.pucciolab.org --- PCL-0002: Session Hijacking in Sqwebmail [snip] Example: --- MY STAT FOR MY WEBSITE - REFERENT DOMAIN http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trashform=folders In this example, the victim has visualized our website reading the mail that we have sent to him. Visiting the link is been marked from our counter. Now we will be able to access to the victim's mail page admin and will be able to read and to send, calmly, its email without make login. The session comes sluice after approximately 20/30 minutes and the attacker has the time to make its comfortable ones. I haven't tried this, but I was under the impression that the Restrict access to your IP address only (increased security) - option specifically avoided the problem of session-hijacking. Also, I thought that sqwebmail used to escape outbound hyperlinks via a special URL-forwarder (which often didn't work in some browsers)., with the only intent to cloak the referrer. Is this all useless ? Rainer
