-
August 17th, 2004, 03:02 PM
#1
Uneasy trend - Static Webmail Session IDs
Lately I have taken special note of the increase in webmail use at my facility. This is the normal response when restrictions are placed in our acceptable use policy for internal e-mail use.
The Issue:
=============================
Static webmail session IDs
Example:
=============================
http://ms04.mrf.mail.rcn.net/wm/mail...ail&mbox=INBOX
NOTE!!! I changed the SessionID so don't bother trying to get into this account.
The Guilty
=============================
Well you can easily see that RCN is at fault here but they are not alone. *MANY* ISPs are using this lazy approach. My advice to you is to copy the URL to your webmail session to a text file then take it to another PC and see if you can access your inbox. I have a list of 37 ISPs who currently employ this horribleness. I have informed each and every one along with the user. So far, only 3 have made changes.
In the past, I used to be able to release info on problem ISPs but DHS has spoken and I no longer can without a ton of red tape traversal. Just do yourself a favor and be sure that your ISP doesn't set static sessionIDs on your webmail sessions. Think about what I can do if I can gain access to your account this way. Muhwahahahaa.
Seriously though. I can't say it enough. Check into it.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 17th, 2004, 03:51 PM
#2
I've seen more than just webmail implement this. Certain forum software was vulnerable this way as well. In most cases I've seen the developers opted to rely on their own method of generating SIDs, which was often non-random due to how the SIDs were generated.
All I can say is if you are implementing webmail (far easier than it sounds), go with Horde. The Imp and Turba packages are all you need for just standard webmail.
Edit: Yeah, misread the original message.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 17th, 2004, 03:56 PM
#3
I'm actually surprised you rely on an ISP to run webmail for ya horse, I was under the impression you worked at a large organization.
I think he means people logging on to their home ISP's email accounts from work.
Horsey is our government guy. That is a very large organization.
[H]ard|OCP <--Best hardware/gaming news out there--|
pwned.nl <--Gamers will love this one --|
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
-
August 17th, 2004, 04:21 PM
#4
Yep, these are personal accounts being accessed. You should know me better than that.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 17th, 2004, 06:49 PM
#5
Read this with interest...
Call me thick, (no... no... I didn't mean it!), but I'm not entirely sure what the thehorse13 means by "Static webmail session Id's"
I guessed, after looking at my webmail URL when logged in, thehorse13 was typeing about the use of variables in the URL. Mine has these if they are preceeded by a %.
If I'm wrong would someone tell me I'm thick and then enlighten me?
Thanks.
Tomorrow is another day for yesterdays work!
-
August 17th, 2004, 07:01 PM
#6
You're thick. :P
A Session ID is just a unique identifier for a particular "visit" (Session) to a piece of web software. Having static session IDs is bad because it means someone can copy your URL and always get to your mailbox from wherever they like in many cases, though not all. The entire system is a kludge way of turning web software into desktop software, and there are a number of issues to take into consideration when designing web-based software . HTTP was not meant to be a persistent connection client-server protocol, and a lot of issues arise from it.
Now, these session IDs can be stored in a number of places, among which is the URL. Commonly they are put in URLs, "Session cookies" (a special type of cookie/header that expires when the session is terminated), or in real Cookies. Some bad implementations also rely on POSTed variables (<input type="hidden">.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 17th, 2004, 07:13 PM
#7
I thought I was!
Thanks for that chsh. That makes sense to me. So I can't be completely thick! lol
One further question then, if I may? How can I tell that the URL that thehorse13 placed in his posting uses a static webmail session id?
More importantly how do I know if my URL, when logged into my webmail, uses a static session id?
You've scared me now. Not that I use webmail a lot, only occasionally, but I'm wondering how secure it is!
Tomorrow is another day for yesterdays work!
-
August 17th, 2004, 07:55 PM
#8
Take a closer look. There is a sessionID=(lots of letters and numbers) statement in there.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 17th, 2004, 08:02 PM
#9
Duoh! I am Thick!!
Thanks for that thehorse13. Needed to look at the full string as displayed at the bottom of IE (I know, I know IE, but I'm at work and have no choice! LOL).
Boy do I feel like an idiot now! How obvious was that!?!
Time to go home me thinks!
[EDIT]
Just been to my webmail logged in, captured the URL in the address bar, logged out, then pasted the URL back into the address bar. It gave me an error, saying I had logged out, etc, etc.
So feel a little relieved now!
[/EDIT]
Tomorrow is another day for yesterdays work!
-
August 17th, 2004, 10:41 PM
#10
It's kinda fun catching these when people try to get to their webmail from work.... If they are static you can then send them an email from their own account pointing out the danger.....
They seem to stop trying to use their webmail from work really quickly ....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|