Re: PCL-0002: Session Hijacking in "Sqwebmail"

To: Vincenzo Ciaglia <puccio@xxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: PCL-0002: Session Hijacking in "Sqwebmail"
From: Christophe Casalegno <christophe.casalegno@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Nov 2003 20:38:46 +0100
In-reply-to: <Pine.LNX.4.58.0311180214310.1172@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Digital Network
References: <Pine.LNX.4.58.0311180214310.1172@xxxxxxxxxxxxxxxxxxxx>
Reply-to: christophe.casalegno@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.5.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le Mardi 18 Novembre 2003 02:18, Vincenzo Ciaglia a écrit :

> In this example, the victim has visualized our website reading the mail
> that we have sent to him. Visiting the link is been
> marked from our counter. Now we will be able to access to the victim's
> mail page admin and will be able to read and to send, calmly,
> its email without make login. The session comes sluice after approximately
> 20/30 minutes and the attacker has the time
> to make its comfortable ones.
>

That does'nt work on my system.  There is also a protection by ip on sqwebmail 
that verify this is the authentified ip that try to acces mailbox, but it 
isn't the problem :

This is a apache web log on the visited site that comes from a sqwebmail mail 
link :

manticore.digital-network.net - - [17/Nov/2003:20:23:07 +0100] "GET /
HTTP/1.1" 200 509 "-" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4)
Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:08 +0100] "GET /menu.html
HTTP/1.1" 200 861 "http://www.xxxxx.org/"; "Mozilla/5.0 (X11; U; Linux i686;
fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:08 +0100] "GET
/corps.html HTTP/1.1" 200 1041 "http://www.xxxxx.org/"; "Mozilla/5.0 (X11; U;
Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:10 +0100] "GET
/Images/miscmag9.jpg HTTP/1.1" 200 45795 "http://www.xxxxx.org/corps.html";
"Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"
manticore.digital-network.net - - [17/Nov/2003:20:23:10 +0100] "GET
/Images/menu.gif HTTP/1.1" 200 1071 "http://www.xxxxx.org/menu.html";
"Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.4) Gecko/20030630 Galeon/1.3.8"

friendly,

- -- 
Christophe Casalegno | Digital Network | UIN : 153305055
http://www.digital-network.net | http://www.speed-connect.com
http://www.securite-reseaux.com | http://www.dnsi.info
Security engineer network/systems | Intrusion tests specialist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/uSPG0mOixX2DR8IRAgwwAKChwAXyEaWJ8as9xw2GMHo8Q37AEgCeLyIV
RF5GZxFnNcl62C7TAOLfwjs=
=E5Jm
-----END PGP SIGNATURE-----

References:
- PCL-0002: Session Hijacking in "Sqwebmail"
  - From: Vincenzo Ciaglia

Prev by Date: Re: VMWare GSX Server Authentication Server Buffer Overflow Vulnerability - Update
Next by Date: Security researchers organization
Previous by thread: PCL-0002: Session Hijacking in "Sqwebmail"
Next by thread: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier
Index(es):
- Date
- Thread