SET <set-fw@bigfoot.com>  
November 1999    http://www.imedia.es/set/us/eng-1199.txt


---[ CONTENTS ]--- 

- 01 -   Introduction
- 02 -   Problems found
- 03 -   Q&A
- 04 -   Conclusions




- 01 ----------------------   Introduction   ------------------------

Several members of SET have discovered key flaws in the security of 
ciudad.com.ar, the incorrect configuration of EdgeMail system, used to
offer mail services trough web, appears to be the cause. 
Ciudad.com.ar is an Argentinian portal offering free webmail accounts as
well as chat and ICQ-style messaging, over 150.000 accounts could have been
compromised.




- 02 ----------------------   Problems found   ----------------------

After finding the host responsible for running the service and storing the
data we learn that anyone could:

#1   Read any mail
#2   Hijack accounts
#3   Access the password file
#4   Get POP accounts settings
#5   Determine active users



[#1]  Read any mail

By going to a concrete URL it's possible to read any mail stored in the 
server without performing any kind of authentication. We'll learn by example:

  http://vulnerablesitein.ciudad.com.ar/edgemail/folders/

Will list directory entries for characters [0-9,a-z], every user's mail is
placed in the directory which matches their first username's character
So imagine we'd like to see the mail from user "nosuchuser", we'll go to:

  http://vulnerablesitein.ciudad.com.ar/edgemail/folders/n/

And scroll down until we find entries like:

 ./n/nosuchuser.InBox  4k
 ./n/nosuchuser.Sent   3k

Clicking on the link will bring us the usual unix-style plain text file with
all the mail for that folder.



[#2]  Hijack accounts

While the first problem 'only' let the attacker to read the mail we found that
it's possible to "take over" any existing account, ciudad.com.ar has a 3-step
process to create a new account, the first step checks for the username desired
and returns an error if already exists, the bug lies in the fact that the 
actual Perl script called to create the account DOES NOT check if that username
exist, remember step 1 should have take care of it, so if we go to an URL like:


  http://vulnerablesitein.ciudad.com.ar/cgi-bin/creawebmail.pl?user=testuser&
         pass=anypassword&srvid=1
  [Line wrapped for clarity]

We'll have created a new account bypassing the checks (and the personal info
screens :-) )

We can hijack the webmail of nosuchuser@ciudad.com.ar by giving her username
in the user field, note that all folders are _deleted_ when you proceed this
way.

 

[#3]  Access the password file

Over 150.000 passwords were left open for anyone to see, the problem is bigger
if you consider that:

- Most of these passwords are also used in services like ciudad.com.ar's chat 
or instant messaging.
- Prima, the owner or ciudad.com.ar, is a national ISP in Argentina, many users
will no doubt have the same password for dial-up, POP and web-mail accounts,
FTP access and so on...

Once determined that the EdgeMail installation was exploitable it is s simple
as:

  http://vulnerablesitein.ciudad.com.ar/edgemail/auth/users

This could have permited potential intruders obtaining free, unlimited access 
to unsuspecting users accounts, deleting individual pieces of e-mail, forging
messages..etc.



[#4]  Get POP accounts settings

It's nice to check the POP account from the browser, and it's nice to integrate
mail from different accounts into one centralized place, but it isn't nice if 
you are exposed to have all you accounts compromised at once. As many systems
do EdgeMail allows to check remote accounts and offers the chance of saving
the settings for future sessions, these settings include POP server, POP 
username and POP password. EdgeMail saves this info in a database file under
the /data subdirectory, let's go to:

  http://vulnerablesitein.ciudad.com.ar/edgemail/data/pops

It's a safe bet to assume that many of these passwords are the same passwords 
used for dial-up access and FTP access opening up new accounts in many 
differents ISPs.



[#5]  Determine active users

Ever wonder if nosuchuser@ciudad.com.ar is online now?. What IP is her using?.
But you know she didn't wanna tell you so...what can we do?. I think you'd 
like the EdgeMail active users feature :-). Just type in your browser:

  http://vulnerablesitein.ciudad.com.ar/edgemail/active/

It will show up a listing of all the users currently logged with their IP.
An _example_:


     adxxx@200.41.229.xxx:+  15-Jan-99 22:32     0K  
     adrxx@200.43.37.xxx:00+ 15-Jan-99 22:14     0K  
     adrixx_xxxxx@200.16.1+  15-Jan-99 21:45     0K  
     adrixxxxxx@200.42.16.+  15-Jan-99 22:31     0K  
     adrixxxxxxx@24.232.9.+  15-Jan-99 22:11     0K  
     adriaxxxxxxx@168.96.1+  15-Jan-99 22:55     0K  
     ......................  ...............     .. 
     ......................  ...............     .. 




- 03 -----------------   Q&A: Questions and Answers. ----------------


0x01?  I'm a user from ciudad.com.ar, what should I do?

Change your password INMEDIATELY, change all the passwords that could have
been compromised, don't forget to check you're not using the same password to
access other services.
Don't worry about your mail, I know it sounds strange, but the admin of ciudad
has already been informed and he would have corrected all the issues by the
time you read this.

0x02? I'm using EdgeMail in my site, am I at risk?

Sorry we can't tell you, our best bet is that this a specific problem of
ciudad.com.ar configuration and not related to EdgeMail. Try the examples 
URLs given above, if they work in your site then you are at risk too!

0x03?  I'm using (you name it) web mail account, is it secure?.

No system is secure, bugs come and go, you SHOULDN'T use webmail systems to
store or send sensitive information such as financial records, VISA numbers,
passwords..etc. Sadly most people don't know, don't care and one day they
might find out they have learned the hard way.
We repeat, DON'T USE webmail systems (HotMail, YahooMail..etc) to store
anything you don't like anyone to see. 
You also should start considering *encrypting* your messages.




- 04 --------------------   Conclusions   ---------------------------


Keep calm, if you have an account in ciudad.com.ar you should know that 
it's probably safer than ever :->. Pay attention to the advices given
above, use encryption (don't store the keys in the server!!), try to keep
up to date with security news and relax...la vita e bella.


Links:

http://www.ciudad.com.ar                 -- Ciudad main site
http://www.set-ezine.org        -- SET
http://www.edgemail.com             -- Edgemail
http://packetstorm.securify.com/mag/set  -- Copies of SET Ezine (spanish only!) 

Spanish (espanol) version                 http://www.imedia.es/set/web/set-1199.txt 


Feel free to copy and distribute.

SET (c) 1999 .