Vulnerability

    WebMail

Affected

    comm.lycos.com, angelfire.com, eudoramail.com, etc

Description

    Philip  Stoev  found  following.   WebMail  (possibly WhoWhere.com
    software)   as   installed   on   comm.lycos.com,   angelfire.com,
    eudoramail.com  and  others  allows  an  attacker  to hijack other
    people's attachments by  modifying the hidden  form fields on  the
    compose message form.   If a file  is attached to  a message,  the
    compose message form has a hidden form field that looks  something
    like this:

        filename.txt = /tmp/cache/24377.550

    By setting it  to a similar  value, one can  send email containing
    someone else's attachments.  For example:

        filename.txt = /tmp/cache/24377.549

    It was also possible to do ../..-style directory transversal.

    The nature of the problem lies in the following:
    1. User  is allowed  to reference  attachments belonging  to other
       users, that is, there were no file-ownership checks.
    2. User input was not validated for ".." character sequences.
    3. Naming of temporary files followed an easy-to-predict numbering
       scheme.

    This problem is trivial to  exploit by hand by saving  the compose
    message  HTML  form  locally  and  modifying  it.   However, it is
    imperative to  note that  enforcing strict  user-agent, cookie and
    referer check  does not  prevent such  vulnerabilities from  being
    exploited.  There are publicly  available tools (Such as The  ELZA
    at  www.stoev.org)  that  allow  for  the  exploitation  of   such
    vulnerabilities, while  preserving stealth  behavior with  respect
    to cookies, referers and user-agent strings to the extent required
    to keep the web site software happy.

Solution

    The vendor has fixed this particular problem, however all web mail
    vendors are  hereby urged  to evaluate  their systems  for similar
    problems.