<<< Date Index >>>     <<< Thread Index >>>

PCL-0002: Session Hijacking in "Sqwebmail"



---------------------------
PUCCIOLAB.ORG - ADVISORIES
<http://www.pucciolab.org>
---------------------------

PCL-0002: Session Hijacking in "Sqwebmail"

---------------------------------------------------------------------------
PuCCiOLAB.ORG Security Advisories                    puccio@xxxxxxxxxxxxx
http://www.pucciolab.org                             Vincenzo Ciaglia
November 18th, 2003
---------------------------------------------------------------------------

Package        : Sqwebmail
Vendor         : Inter7
Vulnerability  : access to private account without login, session
hijacking
Problem-Type   : remote
risk           : low
Version        : All the version seems to be affected.
Official Site  : http://www.inter7.com/sqwebmail/sqwebmail.html
N Advisories  : 0002

***********************
About Sqwebmail
***********************
SqWebMail is a web CGI client for sending and receiving E-mail using
Maildir mailboxes. SqWebMail DOES NOT support
traditional Mailbox files, only Maildirs. This is the same webmail server
that's included in the Courier mail server,
but packaged independently. If you already have Courier installed, you do
not need to download this version.

***********************
Proof of concepts
************************
An attacker could send an email to a victim who used SQWEBMAIL, to get the
victim to visit a website, which then logs all
available information about the victim's system.

Example:
-------------------
MY STAT FOR MY WEBSITE - REFERENT DOMAIN
http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trash&form=folders


In this example, the victim has visualized our website reading the mail
that we have sent to him. Visiting the link is been
marked from our counter. Now we will be able to access to the victim's
mail page admin and will be able to read and to send, calmly,
its email without make login. The session comes sluice after approximately
20/30 minutes and the attacker has the time
to make its comfortable ones.

*************************
What could make a attacker?
*************************
Read, write and fake your e-mail. Could send , from you email address, a
mail to your ISP and ask it User e PASS of your
website. The consequences would be catastrophic.

*************************
What I can do ?
*************************
Actually seems that there isn't a patch for this problem.

*************************
Suggestion to SQWEBMAIL
*************************
It would have to reduce the time for the closing of the sessions.

Greet,
Vincenzo Ciaglia
puccio@xxxxxxxxxxxxx