Security Issue in IcewarpFrom: Huseyin Uslu (firstname.lastname@example.org)
- Previous message: email@example.com: "RE: Intel.com Mailing List Arbitrary Address Removal Link"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Huseyin Uslu" <firstname.lastname@example.org> To: email@example.com Date: Sat, 09 Feb 2002 19:46:42 +0200
Icewarp is one the world's most used web mail software.
It's another product of Merak Mail developers.
There is an seccurity issue in Icewarp.
It's like this:
When you create a new user , icewarp gives him a static number.
If this user does not logout after checking his inbox you can
access his inbox.
I wrote this issue to developers of Icewarp they said me to
increase the timeout value. In standart installation timeout value is
defaulty very large.
They said they don't think to use cookie system.
Here is how to use this issue:
Let's say that our users static number is 098d0f444ec627534540ac4f02f29fh7
if the user does not signout and if you get this
you can access inbox before it times out.
This id never changes.
How to get a users id?
You must have an email account in icewarp using host. Than you can send a
mail directly to firstname.lastname@example.org . Wait for the reply.
If it comes his id is in links (answer,forward..)
Also we know that most users in general do not signout.
So I think that this is an important issue.
In include.html find the default value 240 and make it lower. In a support
message that came from icewarps developers thay said 240 could be in
and my customer in the web host i'm working..
Hüseyin Uslu is not responsible for any usage of this security issue.
Developer of this software have been informed.
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.