Date: Sat, 24 Apr 1999 08:59:19 +0300
From: Philip Stoev <philip@EINET.BG>
To: BUGTRAQ@netspace.org
Subject: eGROUPS security flaw

eGROUPS (wwww.egroups.com) is a web site providing mailing list services.
The mailing lists (aka groups) can be moderated, and the moderator can
approve/revoke posted messages by sending blank emails to certain addresses
in the egroups system. This makes it trivial for anyone to approve a
message without being a moderator.

1. Take a look at the header of some previous message sent to the group.
Extract the following header line:

Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com>

the number XXX here is a sequence number assigned to each message sent to
the group.

2. Send the message you want to send to the list. The message will be sent
to the moderator for approval.

3. Send 256 blank messages to addresses like:

   GROUPNAME-accept-ZZmYYY@egroups.com

Where
   ZZ is a hexadecimal number from 00 to FF.
   YYY is XXX + 1;

The presence of the ZZ number appears to be an attempt to put some security
into the entire system. However, this number is constant for each group and
does not change in time. Once guessed, subsequent messages can be approved
with a single email.

Your message will appear as if approved by the moderator and will be
distributed to the group. No header spoofing is necessary, because the
eGROUPS system does not check the source address of the incoming messages.

eGROUPS was notified exactly one week ago.

Philip Stoev

-Prepare for SAT & TOEFL at http://studywiz.hypermart.net
=This message was sent by Philip Stoev (philip@einet.bg)
=tel: (359 2) 715949, ICQ: 23465869