109613 2003-08-14 02:00 /46 rader/ Vincenzo 'puccio' Ciaglia <puccio@pucciolab.org> Importerad: 2003-08-14 02:00 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <6010> Ärende: PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 ------------------------------------------------------------ --------------------------- PUCCIOLAB.ORG - ADVISORIES <http://www.pucciolab.org> --------------------------- PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 --------------------------------------------------------------------------- PuCCiOLAB.ORG Security Advisories puccio@pucciolab.org http://www.pucciolab.org Vincenzo 'puccio' Ciaglia August 12th, 2003 --------------------------------------------------------------------------- Package : Horde MTA Vulnerability : access to private account without login Problem-Type : remote Version : All < 2.2.4 Official Site : http://horde.org/ N° Advisories : 0001 *********************** Description of problem ************************ An attacker could send an email to the victim who ago use of HORDE MTA in order to push it to visit a website. The website in issue log all the accesses and describe in the particular the origin of every victim. Example: ------------------- MY STAT FOR MY WEBSITE - REFERENT DOMAIN HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C879B290D12630&INDEX=XXX In this example, the victim has visualized our website reading the mail that we have sent to it. Visiting the link marked from our counter of accesses, we will be able to approach the page of management of the mail of the victim and will be able to read and to send, calmly, its email without to make the login.The session comes sluice after approximately 20 minutes and the hacker it has the time to make its comfortable ones. ************************* What could make a attacker? ************************* Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of your website.The consequences would be catastrophic ************************* What I can do ? ************************* Upgrade your MTA Agent to 2.2.4 version. Greet, Vincenzo 'puccio' Ciaglia www.pucciolab.org (109613) /Vincenzo 'puccio' Ciaglia <puccio@pucciolab.org>/(Ombruten) Kommentar i text 109885 av Ricardo J. Ulisses Filho <ricardoj@hotlink.com.br> 109885 2003-08-15 22:05 /76 rader/ Ricardo J. Ulisses Filho <ricardoj@hotlink.com.br> Importerad: 2003-08-15 22:05 av Brevbäraren Extern mottagare: Vincenzo 'puccio' Ciaglia <puccio@pucciolab.org> Mottagare: Bugtraq (import) <6072> Kommentar till text 109613 av Vincenzo 'puccio' Ciaglia <puccio@pucciolab.org> Ärende: Re: PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 ------------------------------------------------------------ Hi, I've made some tests here and could reproduce the same vulnerability behaviour described in your advisory. Reading about session handlers, in php.ini, there is an option called "session.use_only_cookies", that, if set, avoids such sort of attack which involves passing session ids in URLs. Unfortunately, this option is not used by most default php.ini configurations. Regards, -- Ricardo J. Ulisses Filho _____________________________ ricardoj@hotlink.com.br System Administrator HOTlink Internet - Recife / PE / Brazil On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote: > --------------------------- > PUCCIOLAB.ORG - ADVISORIES > <http://www.pucciolab.org> > --------------------------- > > PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 > > --------------------------------------------------------------------------- > PuCCiOLAB.ORG Security Advisories puccio@pucciolab.org > http://www.pucciolab.org Vincenzo 'puccio' Ciaglia > August 12th, 2003 > --------------------------------------------------------------------------- > > Package : Horde MTA > Vulnerability : access to private account without login > Problem-Type : remote > Version : All < 2.2.4 > Official Site : http://horde.org/ > N° Advisories : 0001 > > *********************** > Description of problem > ************************ > An attacker could send an email to the victim who ago use of HORDE MTA in > order to push it to visit a website. The website in issue log all the > accesses and describe in the particular the origin of every victim. > > Example: > ------------------- > MY STAT FOR MY WEBSITE - REFERENT DOMAIN > HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C >879B290D12630&INDEX=XXX > > In this example, the victim has visualized our website reading the mail > that we have sent to it. Visiting the link marked from our counter of > accesses, we will be able to approach the page of management of the mail of > the victim and will be able to read and to send, calmly, its email without > to make the login.The session comes sluice after approximately 20 minutes > and the hacker it has the time to make its comfortable ones. > > ************************* > What could make a attacker? > ************************* > Read, write and fake your e-mail. Could send , from you email address, a > mail to your ISP and ask it User e PASS of your website.The consequences > would be catastrophic > > ************************* > What I can do ? > ************************* > Upgrade your MTA Agent to 2.2.4 version. > > Greet, > Vincenzo 'puccio' Ciaglia > www.pucciolab.org (109885) /Ricardo J. Ulisses Filho <ricardoj@hotlink.com.br>/(Ombruten)