I've made some tests here and could reproduce the same vulnerability behaviour
described in your advisory.
Reading about session handlers, in php.ini, there is an option called
"session.use_only_cookies", that, if set, avoids such sort of attack which
involves passing session ids in URLs.
Unfortunately, this option is not used by most default php.ini configurations.
Regards,
--
Ricardo J. Ulisses Filho
_____________________________
ricardoj (at) hotlink.com (dot) br [email concealed]
System Administrator
HOTlink Internet - Recife / PE / Brazil
On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote:
> ---------------------------
> PUCCIOLAB.ORG - ADVISORIES
> <http://www.pucciolab.org>
> ---------------------------
>
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4
>
> ------------------------------------------------------------------------
---
> PuCCiOLAB.ORG Security Advisories puccio (at) pucciolab (dot) org [email concealed]
> http://www.pucciolab.org Vincenzo 'puccio' Ciaglia
> August 12th, 2003
> ------------------------------------------------------------------------
---
>
> Package : Horde MTA
> Vulnerability : access to private account without login
> Problem-Type : remote
> Version : All < 2.2.4
> Official Site : http://horde.org/
> N° Advisories : 0001
>
> ***********************
> Description of problem
> ************************
> An attacker could send an email to the victim who ago use of HORDE MTA in
> order to push it to visit a website. The website in issue log all the
> accesses and describe in the particular the origin of every victim.
>
> Example:
> -------------------
> MY STAT FOR MY WEBSITE - REFERENT DOMAIN
> HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A881
90C
>879B290D12630&INDEX=XXX
>
> In this example, the victim has visualized our website reading the mail
> that we have sent to it. Visiting the link marked from our counter of
> accesses, we will be able to approach the page of management of the mail of
> the victim and will be able to read and to send, calmly, its email without
> to make the login.The session comes sluice after approximately 20 minutes
> and the hacker it has the time to make its comfortable ones.
>
> *************************
> What could make a attacker?
> *************************
> Read, write and fake your e-mail. Could send , from you email address, a
> mail to your ISP and ask it User e PASS of your website.The consequences
> would be catastrophic
>
> *************************
> What I can do ?
> *************************
> Upgrade your MTA Agent to 2.2.4 version.
>
> Greet,
> Vincenzo 'puccio' Ciaglia
> www.pucciolab.org
I've made some tests here and could reproduce the same vulnerability behaviour
described in your advisory.
Reading about session handlers, in php.ini, there is an option called
"session.use_only_cookies", that, if set, avoids such sort of attack which
involves passing session ids in URLs.
Unfortunately, this option is not used by most default php.ini configurations.
Regards,
--
Ricardo J. Ulisses Filho
_____________________________
ricardoj (at) hotlink.com (dot) br [email concealed]
System Administrator
HOTlink Internet - Recife / PE / Brazil
On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote:
> ---------------------------
> PUCCIOLAB.ORG - ADVISORIES
> <http://www.pucciolab.org>
> ---------------------------
>
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4
>
> ------------------------------------------------------------------------
---
> PuCCiOLAB.ORG Security Advisories puccio (at) pucciolab (dot) org [email concealed]
> http://www.pucciolab.org Vincenzo 'puccio' Ciaglia
> August 12th, 2003
> ------------------------------------------------------------------------
---
>
> Package : Horde MTA
> Vulnerability : access to private account without login
> Problem-Type : remote
> Version : All < 2.2.4
> Official Site : http://horde.org/
> N° Advisories : 0001
>
> ***********************
> Description of problem
> ************************
> An attacker could send an email to the victim who ago use of HORDE MTA in
> order to push it to visit a website. The website in issue log all the
> accesses and describe in the particular the origin of every victim.
>
> Example:
> -------------------
> MY STAT FOR MY WEBSITE - REFERENT DOMAIN
> HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A881
90C
>879B290D12630&INDEX=XXX
>
> In this example, the victim has visualized our website reading the mail
> that we have sent to it. Visiting the link marked from our counter of
> accesses, we will be able to approach the page of management of the mail of
> the victim and will be able to read and to send, calmly, its email without
> to make the login.The session comes sluice after approximately 20 minutes
> and the hacker it has the time to make its comfortable ones.
>
> *************************
> What could make a attacker?
> *************************
> Read, write and fake your e-mail. Could send , from you email address, a
> mail to your ISP and ask it User e PASS of your website.The consequences
> would be catastrophic
>
> *************************
> What I can do ?
> *************************
> Upgrade your MTA Agent to 2.2.4 version.
>
> Greet,
> Vincenzo 'puccio' Ciaglia
> www.pucciolab.org
[ reply ]