mail.md hack

It was back in 2004 when I was still at UPB and waiting to get final interviews with Ubisoft Romania. Had some spare time and also got interest in mail.md security research after having previously attempted to find security holes in it without too much luck.

At the same time, I saw the below post from k0t about his research on this topic:
Xakep Online > Читаем чужие письма на Mail.md

Few days intensive testing and got the script working. Since then, just beautified and commented it properly. The attack would have involved:

• social engineering - sending the victim a fake email with FROM: as let’s say admin@mail.md and asking with very convincing reasons to click-open the attached HTML. Anyway almost any mail sent from HTML-like web-mail (yahoo, etc) got into mail.md with a file attachment like part2.html (possibly because it didn’t have proper HTML processing in place)
• gathering sufficient mail addresses to make it a mass attack - got with various mail collecting (crawling the HTML pages and parsing all *@mail.md text) and probing (SMTP probing with bruteforce or dictionary based generators) tools (MailOMatic and alike) nearly 3000 mail addresses for mail.md
• automating the fake mailing with tools like Mail Bomber - never got to that point, even though I had everything in place (mail addresses, working script, Mail Bomber and alike tools)

Recently, some script kiddie revived the dead here:
mail.md или читаем письма молдован

Here is an archive with files: Mail.md hack script (working back in 2004-2005)

Now, this attack is not working because:

• it moved from CGI-BIN to some kind of PHP engine
• they fixed the design so that changing the secret question/answer or password requires the old password, which we actually don’t know and don’t want to know/bruteforce

However, they have kept most of the URL encoding of actions, sessions and folders, so they didn’t get rid of the old engine totally likely. Also, they had some stack problems with the old CGI-BIN, but I cannot recall or find any notes on how to reproduce them…

That’s for now. And as a final note - Security - is an ongoing process, not a final goal.

DISCLAIMER: this post is intended purely for security research and educative purposes as well as intended to urge the vendor to fix the problems posing threats to its customers. Any use of this information is sole responsibility of the reader/user and the author is not to be held liable for any miss-use of the above informative technical details.