This (among other things in IMail v. 7.04 and earlier) was reported to Bugtraq by Niels Heinen (zilli0n@gmx.net) on the 12th of October last year. The only difference is that this post reports that v. 7.05 is also vulnerable (if not patched). http://online.securityfocus.com/archive/1/219970 On 21:37 2002-03-10 +0100 Obscure wrote: >Advisory Title: IMail Account hijack through the Web Interface >Release Date: 10/03/2002 >Application: IMail Server > >Platform: Windows NT4 > Windows 2000 > Windows XP > >Version: 7.05 or earlier > >Severity: Malicious users can easily access other people's accounts. > >Author: Obscure^ [ obscure@eyeonsecurity.net ] > >Vendor Status: Informed on 21 Feb 2002, a fix was already issued to >customers. > > >Web: > >http://www.eyeonsecurity.net >http://www.ipswitch.com > > > >Background. > >(extracted from >http://www.ipswitch.com/Products/IMail_Server/index.html) > >The 20-Minute E-Mail Solution. >IMail Server is an easy-to-use, web-enabled, secure and >spam-resistant >mail server for Windows NT/2000/XP. It is the choice >of businesses, schools, and service providers. > >A Great Price-Performer. >Unlike Microsoft® Exchange and Lotus® Notes, which are costly to >deploy and cumbersome to administer, IMail Server is easy >to install and easy to manage. It has a simple pricing structure and >is scalable to thousands of users per server. > > >Problem. > >When a user logs in to his account through the Web interface, the >session authentication is maintained via a unique URL. >By sending an html e-mail which includes an image at another server, >an attacker can easily get the unique URL via the >referer field in the HTTP header. > > >Exploit Example. > >http://eyeonsecurity.net/tools/referer.html >A CGI script sends an e-mail with an attached image, pointing to >another CGI script which sends the referer URL to the >attacker. > > >Fix > >Upgrade to IMail 7.06. The fixed version checks for the IP. The >authentication now relies on the unique URL and the IP >address. Of course users who log in to IMail Web interface from >behind >proxies, are still vulnerable. > > >ps. this same vulnerability effects Excite WebMail. The Excite guys >did not contact me back. > > >Disclaimer. > >The information within this document may change without notice. Use >of >this information constitutes acceptance for use in an AS IS >condition. There are NO warranties with regard to this information. >In no event shall the author be liable for any consequences >whatsoever >arising out of or in connection with the use or spread of this >information. Any use of this information lays within the user's >responsibility. > > >Feedback. > >Please send suggestions, updates, and comments to: > >Eye on Security >mail : obscure@eyeonsecurity.net >web : http://www.eyeonsecurity.net
