Re: PCL-0002: Session Hijacking in "Sqwebmail"

Christophe Casalegno <christophe.casalegno@digital-network.net> · Mon, 17 Nov 2003 20:38:46 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le Mardi 18 Novembre 2003 02:18, Vincenzo Ciaglia a écrit :

> In this example, the victim has visualized our website reading the mail
> that we have sent to him. Visiting the link is been
> marked from our counter. Now we will be able to access to the victim's
> mail page admin and will be able to read and to send, calmly,
> its email without make login. The session comes sluice after approximately
> 20/30 minutes and the attacker has the time
> to make its comfortable ones.
>

That does'nt work on my system.  There is also a protection by ip on sqwebmail 
that verify this is the authentified ip that try to acces mailbox, but it 
isn't the problem :

This is a apache web log on the visited site that comes from a sqwebmail mail 
link :

manticore.digital-network.net - - [17/Nov/2003:20:23:07 +0100] "GET /
HTTP/1.1" 200 509 "-" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4)
Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:08 +0100] "GET /menu.html
HTTP/1.1" 200 861 "http://www.xxxxx.org/"; "Mozilla/5.0 (X11; U; Linux i686;
fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:08 +0100] "GET
/corps.html HTTP/1.1" 200 1041 "http://www.xxxxx.org/"; "Mozilla/5.0 (X11; U;
Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:10 +0100] "GET
/Images/miscmag9.jpg HTTP/1.1" 200 45795 "http://www.xxxxx.org/corps.html";
"Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:10 +0100] "GET
/Images/menu.gif HTTP/1.1" 200 1071 "http://www.xxxxx.org/menu.html";
"Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"

friendly,

- -- 
Christophe Casalegno | Digital Network | UIN : 153305055
http://www.digital-network.net | http://www.speed-connect.com
http://www.securite-reseaux.com | http://www.dnsi.info
Security engineer network/systems | Intrusion tests specialist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/uSPG0mOixX2DR8IRAgwwAKChwAXyEaWJ8as9xw2GMHo8Q37AEgCeLyIV
RF5GZxFnNcl62C7TAOLfwjs=
=E5Jm
-----END PGP SIGNATURE-----