Date: Tue, 28 Nov 2000 22:18:58 +0200 From: Philip Stoev <philip@STOEV.ORG> Subject: Remote File Attachment Theft via comm.lycos.com,angelfire.com, To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Date Published: November 28, 2000 Title: Remote File Attachment Theft via comm.lycos.com,angelfire.com, eudoramail.com Class: Access Validation Error Remotely Exploitable: Yes Vulnerability Description: WebMail (possibly WhoWhere.com software) as installed on comm.lycos.com, angelfire.com, eudoramail.com and others allows an attacker to hijack other people's attachments by modifying the hidden form fields on the compose message form. If a file is attached to a message, the compose message form has a hidden form field that looks something like this: filename.txt = /tmp/cache/24377.550 By setting it to a similar value, one can send email containing someone else's attachments. For example: filename.txt = /tmp/cache/24377.549 It was also possible to do ../..-style directory transversal. The nature of the problem lies in the following: 1. User is allowed to reference attachments belonging to other users, that is, there were no file-ownership checks. 2. User input was not validated for ".." character sequences. 3. Naming of temporary files followed an easy-to-predict numbering scheme. Technical Description - Exploit/Concept Code: This problem is trivial to exploit by hand by saving the compose message HTML form locally and modifying it. However, it is imperative to note that enforcing strict user-agent, cookie and referer check does not prevent such vulnerabilities from being exploited. There are publicly available tools (Such as The ELZA at www.stoev.org) that allow for the exploitation of such vulnerabilities, while preserving stealth behavior with respect to cookies, referers and user-agent strings to the extent required to keep the web site software happy. Solution/Vendor Information/Workaround: The vendor has fixed this particular problem, however all web mail vendors are hereby urged to evaluate their systems for similar problems. Vendor notified on: November 8, 2000 Credits: This vulnerability was discovered and reported by Philip Stoev <philip@stoev.org>. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: www stoev org iQA/AwUBOiP3Eli4DH/L1CReEQLdjACgvDP2XdWD9J0rrpNItKXskIufoCcAn3Al 7737nb83pUw8x6LCar3AGs8p =oC+g -----END PGP SIGNATURE-----