Post by Rift on Apr 23, 2004 13:49:19 GMT -5
I have found what i think to be a potential problem in the Forum feature of MSN Groups. I have tried contacting MSN Groups via the MSN Feedback form and by using the Groups Contact Us page located here: groups.msn.com/contact I have still not received any e-mail as of yet and i doubt i will, being that they were sent notification almost 6 months ago.
I found this problem sometime last year. You will notice that when you are part of an MSN Community you have the option to receive forum messages in your inbox. If you do this, you can see the e-mail headers and view your fellow members IP Address. This however is not the potential vulnerability i have found. It is possible to post from any member account under any subject, or new subject. When this happens your IP Information is sent along with the message. This could possibly allow people to attempt some social engineering with other users of the group, namely people of influence such as managers. The vulnerability will also allow you to insert HTML Code into your document before you post, and i have not yet tested the possibility of using unsupported MSN Groups HTML, meaning things such as <Body> tags, and most javascript. I think that this is a vulnerability because it can be done by anyone from anywhere, to anybody that is a member of an MSN Community. Managers, assistant managers, and members alike. It is of course not clear what the impact could be completely since I have yet to hear of anyone else who knows how to exploit this vulnerability, So far I am the only one that i know of who is aware of how to use this.
Possible Actions To Takebr]
If you worry that someone has done this to your forum or another member, including yourself then i would suggest that you be sure to change your group settings to send any and all Forum messages to your inbox. From there change your e-mail settings to allow you to view the headers of All e-mails so that you can see the IP Address of the person who posted. This could help by possibly determining your group members actual IP address, and/or ISP. This of course wont always help since IP's are not always static, and ISP's can be the same amongst most of your members. However i think that this is a good step to take in helping to be sure who might be taking advantage of your forum. From there you can determine the ISP of the IP Address and report it to their ISP if you deem neccesary. It is recommended you speak with the person who's name was used in the forum though. You should e-mail them personaly or contact them by another e-mail they use to be absolutely sure that it was them and not someone else. Afterall if you used the forum for this, the same person could quickly respond saying everything is okay.
Here is some helpful information on how to receive messages in your inbox from your forum.
Go to Member Tools, or "Manager Tools" and select "Email Settings" Tick the box that reads:"Send all messages immediately to my e-mail inbox." and then click "Save Changes" From then on you should receive e-mail from anyone who has posted on your group forum.
In order to view message headers in your Inbox in "Hotmail" do the followingbr]
Sign into hotmail.
Click "Options" at the top right of the page.
Click the "Mail" button on the left hand margine
Select "Mail Display Settings" Go down to
"Message Settings" and select Advanced
From there click "OK"
now when you view your e-mail messages you can see more information on the sender. The sender's ip is usualy contained after the X-OriginatingIPbr]
In outlook express, simply rightclick the Message subject and click "Properties", click the Details Tab, and again the IP is usualy located after X-Originating-IPbr]
I hope this helps anyone who may have been having strange activity on their forums in MSN Groups. I will respond with more information on wether or not you can inject HTML code into your posts that MSN Usualy does not support.
-Rift-
I found this problem sometime last year. You will notice that when you are part of an MSN Community you have the option to receive forum messages in your inbox. If you do this, you can see the e-mail headers and view your fellow members IP Address. This however is not the potential vulnerability i have found. It is possible to post from any member account under any subject, or new subject. When this happens your IP Information is sent along with the message. This could possibly allow people to attempt some social engineering with other users of the group, namely people of influence such as managers. The vulnerability will also allow you to insert HTML Code into your document before you post, and i have not yet tested the possibility of using unsupported MSN Groups HTML, meaning things such as <Body> tags, and most javascript. I think that this is a vulnerability because it can be done by anyone from anywhere, to anybody that is a member of an MSN Community. Managers, assistant managers, and members alike. It is of course not clear what the impact could be completely since I have yet to hear of anyone else who knows how to exploit this vulnerability, So far I am the only one that i know of who is aware of how to use this.
Possible Actions To Takebr]
If you worry that someone has done this to your forum or another member, including yourself then i would suggest that you be sure to change your group settings to send any and all Forum messages to your inbox. From there change your e-mail settings to allow you to view the headers of All e-mails so that you can see the IP Address of the person who posted. This could help by possibly determining your group members actual IP address, and/or ISP. This of course wont always help since IP's are not always static, and ISP's can be the same amongst most of your members. However i think that this is a good step to take in helping to be sure who might be taking advantage of your forum. From there you can determine the ISP of the IP Address and report it to their ISP if you deem neccesary. It is recommended you speak with the person who's name was used in the forum though. You should e-mail them personaly or contact them by another e-mail they use to be absolutely sure that it was them and not someone else. Afterall if you used the forum for this, the same person could quickly respond saying everything is okay.
Here is some helpful information on how to receive messages in your inbox from your forum.
Go to Member Tools, or "Manager Tools" and select "Email Settings" Tick the box that reads:"Send all messages immediately to my e-mail inbox." and then click "Save Changes" From then on you should receive e-mail from anyone who has posted on your group forum.
In order to view message headers in your Inbox in "Hotmail" do the followingbr]
Sign into hotmail.
Click "Options" at the top right of the page.
Click the "Mail" button on the left hand margine
Select "Mail Display Settings" Go down to
"Message Settings" and select Advanced
From there click "OK"
now when you view your e-mail messages you can see more information on the sender. The sender's ip is usualy contained after the X-OriginatingIPbr]
In outlook express, simply rightclick the Message subject and click "Properties", click the Details Tab, and again the IP is usualy located after X-Originating-IPbr]
I hope this helps anyone who may have been having strange activity on their forums in MSN Groups. I will respond with more information on wether or not you can inject HTML code into your posts that MSN Usualy does not support.
-Rift-