|
Date: Sat, 24 Apr 1999 08:59:19 +0300 From: Philip Stoev <philip@EINET.BG> To: BUGTRAQ@netspace.org Subject: eGROUPS security flaw eGROUPS (wwww.egroups.com) is a web site providing mailing list services. The mailing lists (aka groups) can be moderated, and the moderator can approve/revoke posted messages by sending blank emails to certain addresses in the egroups system. This makes it trivial for anyone to approve a message without being a moderator. 1. Take a look at the header of some previous message sent to the group. Extract the following header line: Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com> the number XXX here is a sequence number assigned to each message sent to the group. 2. Send the message you want to send to the list. The message will be sent to the moderator for approval. 3. Send 256 blank messages to addresses like: GROUPNAME-accept-ZZmYYY@egroups.com Where ZZ is a hexadecimal number from 00 to FF. YYY is XXX + 1; The presence of the ZZ number appears to be an attempt to put some security into the entire system. However, this number is constant for each group and does not change in time. Once guessed, subsequent messages can be approved with a single email. Your message will appear as if approved by the moderator and will be distributed to the group. No header spoofing is necessary, because the eGROUPS system does not check the source address of the incoming messages. eGROUPS was notified exactly one week ago. Philip Stoev -Prepare for SAT & TOEFL at http://studywiz.hypermart.net =This message was sent by Philip Stoev (philip@einet.bg) =tel: (359 2) 715949, ICQ: 23465869