Hi, I've made some tests here and could reproduce the same vulnerability behaviour described in your advisory. Reading about session handlers, in php.ini, there is an option called "session.use_only_cookies", that, if set, avoids such sort of attack which involves passing session ids in URLs. Unfortunately, this option is not used by most default php.ini configurations. Regards, -- Ricardo J. Ulisses Filho _____________________________ ricardoj@hotlink.com.br System Administrator HOTlink Internet - Recife / PE / Brazil On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote: > --------------------------- > PUCCIOLAB.ORG - ADVISORIES > <http://www.pucciolab.org> > --------------------------- > > PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 > > --------------------------------------------------------------------------- > PuCCiOLAB.ORG Security Advisories puccio@pucciolab.org > http://www.pucciolab.org Vincenzo 'puccio' Ciaglia > August 12th, 2003 > --------------------------------------------------------------------------- > > Package : Horde MTA > Vulnerability : access to private account without login > Problem-Type : remote > Version : All < 2.2.4 > Official Site : http://horde.org/ > N° Advisories : 0001 > > *********************** > Description of problem > ************************ > An attacker could send an email to the victim who ago use of HORDE MTA in > order to push it to visit a website. The website in issue log all the > accesses and describe in the particular the origin of every victim. > > Example: > ------------------- > MY STAT FOR MY WEBSITE - REFERENT DOMAIN > HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C >879B290D12630&INDEX=XXX > > In this example, the victim has visualized our website reading the mail > that we have sent to it. Visiting the link marked from our counter of > accesses, we will be able to approach the page of management of the mail of > the victim and will be able to read and to send, calmly, its email without > to make the login.The session comes sluice after approximately 20 minutes > and the hacker it has the time to make its comfortable ones. > > ************************* > What could make a attacker? > ************************* > Read, write and fake your e-mail. Could send , from you email address, a > mail to your ISP and ask it User e PASS of your website.The consequences > would be catastrophic > > ************************* > What I can do ? > ************************* > Upgrade your MTA Agent to 2.2.4 version. > > Greet, > Vincenzo 'puccio' Ciaglia > www.pucciolab.org
