home *** CD-ROM | disk | FTP | other *** search
- Date: Sat, 24 Apr 1999 08:59:19 +0300
- From: Philip Stoev <philip@EINET.BG>
- To: BUGTRAQ@netspace.org
- Subject: eGROUPS security flaw
-
- eGROUPS (wwww.egroups.com) is a web site providing mailing list services.
- The mailing lists (aka groups) can be moderated, and the moderator can
- approve/revoke posted messages by sending blank emails to certain addresses
- in the egroups system. This makes it trivial for anyone to approve a
- message without being a moderator.
-
- 1. Take a look at the header of some previous message sent to the group.
- Extract the following header line:
-
- Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com>
-
- the number XXX here is a sequence number assigned to each message sent to
- the group.
-
- 2. Send the message you want to send to the list. The message will be sent
- to the moderator for approval.
-
- 3. Send 256 blank messages to addresses like:
-
- GROUPNAME-accept-ZZmYYY@egroups.com
-
- Where
- ZZ is a hexadecimal number from 00 to FF.
- YYY is XXX + 1;
-
- The presence of the ZZ number appears to be an attempt to put some security
- into the entire system. However, this number is constant for each group and
- does not change in time. Once guessed, subsequent messages can be approved
- with a single email.
-
- Your message will appear as if approved by the moderator and will be
- distributed to the group. No header spoofing is necessary, because the
- eGROUPS system does not check the source address of the incoming messages.
-
- eGROUPS was notified exactly one week ago.
-
- Philip Stoev
-
- -Prepare for SAT & TOEFL at http://studywiz.hypermart.net
- =This message was sent by Philip Stoev (philip@einet.bg)
- =tel: (359 2) 715949, ICQ: 23465869
-
-
-
