[10348] in bugtraq
eGROUPS security flaw
daemon@ATHENA.MIT.EDU (Philip Stoev)
Sat Apr 24 13:23:06 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 7bit
Message-Id: <199904240557.IAA21360@sonata.einet.bg>
Date: Sat, 24 Apr 1999 08:59:19 +0300
Reply-To: Philip Stoev <philip@EINET.BG>
From: Philip Stoev <philip@EINET.BG>
To: BUGTRAQ@NETSPACE.ORG
eGROUPS (wwww.egroups.com) is a web site providing mailing list services.
The mailing lists (aka groups) can be moderated, and the moderator can
approve/revoke posted messages by sending blank emails to certain addresses
in the egroups system. This makes it trivial for anyone to approve a
message without being a moderator.
1. Take a look at the header of some previous message sent to the group.
Extract the following header line:
Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com>
the number XXX here is a sequence number assigned to each message sent to
the group.
2. Send the message you want to send to the list. The message will be sent
to the moderator for approval.
3. Send 256 blank messages to addresses like:
GROUPNAME-accept-ZZmYYY@egroups.com
Where
ZZ is a hexadecimal number from 00 to FF.
YYY is XXX + 1;
The presence of the ZZ number appears to be an attempt to put some security
into the entire system. However, this number is constant for each group and
does not change in time. Once guessed, subsequent messages can be approved
with a single email.
Your message will appear as if approved by the moderator and will be
distributed to the group. No header spoofing is necessary, because the
eGROUPS system does not check the source address of the incoming messages.
eGROUPS was notified exactly one week ago.
Philip Stoev
-Prepare for SAT & TOEFL at http://studywiz.hypermart.net
=This message was sent by Philip Stoev (philip@einet.bg)
=tel: (359 2) 715949, ICQ: 23465869
