Cached Page Email Exploit

A case study

David Teisseire, CISSP

In Australia
Copyright (c) David Teisseire 2005-2008

In the United Kingdom

The right of David Teisseire, CISSP to be identified as the Author of the Work has
been asserted by him in accordance with the Copyright, Designs and Patents Act
1988.

18th March 2005

Version 1.0.4 Page 1 of 8

Background

It seemed simple enough. The brief was to organise an email

account on the mail server of a community organisation. The
organisation in question had provided, up until late 2002, free
email services to people using the organisations services. By
early 2003, all external email offerings had been removed and
only the key players in the organisation still had valid email
accounts on their email server. I considered that the brief
would fail and the matter would be closed within the hour.

The Approach

The initial approach consisted of sniffing through the website

and another site associated with the parent organisation co-
located on the same server. Verifying that new email account
facilities were not available for either site, I viewed the source
html on a number of pages from both sites. Apart from the
usual identification of the code cutter or site administrator,
there was one page that had a contact name, address and
phone number commented out. Was this a case of sloppy
coding or was the code cutter unaware of the implication?

If the code cutter had commented out sections of the html

code rather than deleted them, was it possible that there might
also be references to the email registration page on one of the
visible pages? The idea here was to deep link to the
registration page from the commented out section of the code.
I could not readily see, in the pages that I reviewed, any
reference to the email registration page – seems the cutter
wasn't so sloppy after all.

My next move was to “google” the site with the 'link:' option
to display sites that had links to either the parent organisation
or the site under review. In this instance both site's links were
evaluated. A manageable number of links were identified for
both sites.

A methodical search of these links was conducted to the

targets, in an attempt to locate either a link to, or information
about, the email registration process. No such link or
information was found. At this point I was prepared to close
the brief and write up the findings.

It appeared that a casual Internet user could not set up an

email account with the organisation without performing some

Version 1.0.4 Page 2 of 8

 sort of overt attack against the mail server and that scenario
was outside the brief for the project.

I took time out to have a coffee before writing the report.

During this break I redefined what I was trying to achieve in
this investigation. There were two distinct investigative issues.
Firstly, there was the question as to whether it was possible to
create an email account on a mail server that was supposedly
closed to new members. Certainly there would be provision
for the sysadmin to be able to create, modify and delete
accounts, but that was probably behind an administrator
password. The fact that the email server was not owned and
operated by either the target organisation nor the parent body
suggested a possible avenue of creating an email account on
the physical email server under another domain name and
working from there. This option defeated the object of the
brief and was abandoned.

The second issue revolved around the actual web pages for the
site and their availability for deep linking. I could try guessing
the html page name that contained the registration form, but
the thought of looking at page after page of “page not found”
404 errors seemed less and less appealing the longer I thought
about it.

Was there some way to be able to identify the name of the

page? Logically the page existed at some time in 2002.
Almost certainly every web spider would have visited the
pages since that time and thus even the local cache of the page
would be of a more current version. The problem then became
far more focussed, was there a cached copy of the pages
somewhere?

Visiting the wayback machine www.archive.org I was able to

input the web address of the site under review as shown in
figure 1.

Version 1.0.4 Page 3 of 8

figure 1

figure 2

The search of the wayback machine displayed a number of

web page images from the period under review as shown in
figure 2 below.

I was then able to view any page from those returned by the
wayback machine. Of interest was those pages that had an *
appended after the spidered date. These indicated when the
site was updated. The exercise then became one of viewing
the copies of the web page and finding one that still had the
email creation facility available.

Initially I considered that I would have to extract the email

registration address from the html code of the imaged page,
but on further consideration I realised that the wayback
machine would not have changed the address of the cached
pages. This contrasts with locally run applications such as
httrack which are capable of imaging a web site locally.
Httrack and its like, change the absolute address of the pages
to a relative local one.

Further investigating a number of other imaged pages on the

wayback machine, it became apparent that a fundamental
loophole may exist where a site used absolute references in
the HREF statements.

In the case of the site under consideration although there was a

BASE HREF, which was localised for the wayback machine,
page references for some of the links were absolute and were
not converted.

Version 1.0.4 Page 4 of 8

 Further impacting this situation was the fact that the web site
under consideration was both active and more significantly
still had absolute web pages remaining from 2002. The
implication here is clear, all unused pages should be removed
from the structure regardless. The ability to deeplink to an
unused web page should be checked whenever the site is
updated.

I was able to load the imaged page from the wayback machine
site then following the email registration link contained on
that imaged page, proceed to secure a valid email account
specifically associated with the briefing organisation. In this
way the brief was proved, somewhat surprisingly, in the
affirmative.

Potential exploits

The establishment of a valid email account as detailed above

poses a number of possible risks to both the organisation
under consideration and the Internet community at large.

Firstly, there is potential to impersonate a pre-existing account

holder. This may be accomplished by either choosing a similar
name or by the use of control and/or alt characters in the name
string. It is noted however, that many email service providers
either restrict or do not recognise these non-printing codes.

Increasingly, content providers both free and fee based are

requiring a valid email address. Often they specify that free
email accounts of the hotmail, gmail and yahoo type, are not
acceptable. Persons wishing to subscribe to content will often
be reluctant to provide details of their primary email account.
Those with less than ethical motives even more so. This form
of exploit would allow them to not only set up the email
account but also to access it through the same image page.
This accessibility aspect would allow the exploiter to respond
to any verification email or allow them to obtain an access
password from the site.

An exploiter could continue to access the organisation's email

system via the wayback machine (as in this case) or from a
locally saved copy of the access web page. In this regard, even
the recommendation of having the image copies removed
from the wayback machine may not in itself remove the threat

Version 1.0.4 Page 5 of 8

 of email account exploitation.

Possible legal considerations

From a legal and ethical perspective, this case poses a number

of difficult questions. The mere existence of a web page that is
accessible via a deep link or through a cached archive,
although it is unethical, I doubt whether a legal proceeding
could be substantiated. There must surely be a question of due
diligence on the part of the administrator to take all reasonable
precautions to prevent inadvertent access to specific pages of
the site.

A case could be made that the imaged pages on the wayback

machine were confirming the offering of free email services,
at least at some point in time. At issue here is whether the
organisation ever actually rescinded the offer of free email
services? The removal of the signup link may not, in some
jurisdictions, constitute valid notification of the remove of the
specific service.

A review of the home and subsequent pages of the mail

service provider for the organisation revealed that one of their
services is to provide hosting for organisations to allow
individuals to sign up for email under the organisations
domain name. In this light it would seem, at present at least,
that the email service provider has not advised any change in
policy that would impact the organisations right or ability to
continue to offer the free email services.

Is there then a case to answer in regard to an attempt to steal

or defraud either the organisation concerned or the email
service provider? Since the organisation is paying for the
provision of free (as in free to the end user) email, one could
justify the position that one cannot steal or miss-appropriate
something that is freely given away to all who register for the
free service. The absence of a specific time frame that the
offer applied also re-enforces this stance. Could or should an
individual be expected to know that the offer of free email
services has been rescinded for a specific site hosted by the
email service provider?

The matter then hinges on the issue of the pathway that the
email services were obtained from, that is, via a currently
unpublicised link in the target web site. A further issue arises,

Version 1.0.4 Page 6 of 8

 that a defendant (should the matter come to trial) could claim
that the link was an old bookmark that had not been updated
or deleted, so once again the burden must substantially go
back to the target's administrator.

A defendant in this matter could claim that there was no

indication anywhere on the site that free email services were
no longer available. The defendant could further claim that
they were not advised and acted on the assumption that those
services were freely available to anybody. Looking at the
target web site, there is certainly no indication that those
services are no longer permitted. The mere absence of a
visible link to sign up or use free email could be interpreted in
a number of ways, not all of which suggest a subversive
motive.

Conclusion and recommendations

This brief started out quite simply: to prove or disprove

whether it was possible to obtain free email services
previously offered on a site but now no longer actively
promoted. In the end it has raised a number of issues and
potential vulnerabilities that go far beyond the brief's
seemingly simple answer.

In as far as this matter is concerned, I have in addition to

answering the brief, provided a number of recommendations
to the site owners as stipulated below;

1. The current home page should specify that free email

services are no longer provided to the general Internet
using public.
2. All active pages should provide an active link to a page
where the withdrawal of the service and its date of
implementation are specified. Something in the order of a
link titled 'important email notice' or similar.
3. The responsible officer within either the parent
organisation or its subsidiary should, as a matter of
urgency, delete all non-active pages from the third party
server/s.
4. The responsible officer specified above should familiarise
him/herself with the material imaged at http://archive.org
as it relates to those sites under their care.
5. The responsible officer should periodically check sites
directly linking to the domains under their care.

Version 1.0.4 Page 7 of 8

 6. The responsible officer should periodically check via major
or industry/country/special interest search engines the
number and details of returned hits using the domain name
or organisation name or any of its subsidiaries.
7. In extreme cases the responsible officer should contact the
maintainers of the wayback machine and arrange to have
the site removed from the archive as detailed at
http://www.archive.org/about/faqs.php which states
amongst other matters;

How can I remove my site's pages from the Wayback

Machine?

The Internet Archive is not interested in preserving or offering

access to Web sites or other Internet documents of persons
who do not want their materials in the collection. By placing a
simple robots.txt file on your Web server, you can exclude
your site from being crawled as well as exclude any historical
pages from the Wayback Machine.
Internet Archive uses the exclusion policy intended for use by
both academic and non-academic digital repositories and
archivists. See our exclusion policy.
You can find exclusion directions at exclude.php. If you
cannot place the robots.txt file, opt not to, or have further
questions, email us.

Version 1.0.4 Page 8 of 8