[LWN Logo]
[Timeline]
Date:         Tue, 28 Nov 2000 22:18:58 +0200
From: Philip Stoev <philip@STOEV.ORG>
Subject:      Remote File Attachment Theft via comm.lycos.com,angelfire.com,
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Date Published: November 28, 2000

Title: Remote File Attachment Theft via comm.lycos.com,angelfire.com,
eudoramail.com

Class: Access Validation Error

Remotely Exploitable: Yes

Vulnerability Description:

WebMail (possibly WhoWhere.com software) as installed on
comm.lycos.com, angelfire.com, eudoramail.com and others allows an
attacker to hijack other people's attachments by modifying the hidden
form fields on the compose message form. If a file is attached to a
message, the compose message form has a hidden form field that looks
something like this:

filename.txt = /tmp/cache/24377.550

By setting it to a similar value, one can send email containing
someone else's attachments. For example:

filename.txt = /tmp/cache/24377.549

It was also possible to do ../..-style directory transversal.

The nature of the problem lies in the following:

1. User is allowed to reference attachments belonging to other users,
that is, there were no file-ownership checks.
2. User input was not validated for ".." character sequences.
3. Naming of temporary files followed an easy-to-predict numbering
scheme.

Technical Description - Exploit/Concept Code:

This problem is trivial to exploit by hand by saving the compose
message HTML form locally and modifying it. However, it is imperative
to note that enforcing strict user-agent, cookie and referer check
does not prevent such vulnerabilities from being exploited. There are
publicly available tools (Such as The ELZA at www.stoev.org) that
allow for the exploitation of such vulnerabilities, while preserving
stealth behavior with respect to cookies, referers and user-agent
strings to the extent required to keep the web site software happy.

Solution/Vendor Information/Workaround:

The vendor has fixed this particular problem, however all web mail
vendors are hereby urged to evaluate their systems for similar
problems.

Vendor notified on: November 8, 2000

Credits: This vulnerability was discovered and reported by Philip
Stoev <philip@stoev.org>.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp@securityfocus.com.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: www stoev org

iQA/AwUBOiP3Eli4DH/L1CReEQLdjACgvDP2XdWD9J0rrpNItKXskIufoCcAn3Al
7737nb83pUw8x6LCar3AGs8p
=oC+g
-----END PGP SIGNATURE-----