Another web-based mail reader hole

From: Dave Pifke (daveat_private)
Date: Mon Jan 18 1999 - 15:24:09 PST

Next message: Kurt Seifried: "Re: Remote Cisco Identification"

Previous message: Dave Pifke: "Re: Personal web server"
Next in thread: Peter van Dijk: "Re: Another web-based mail reader hole"
Reply: Peter van Dijk: "Re: Another web-based mail reader hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

This bug has been fixed in most webmail clients for quite some time now,
but I guess some people just don't see security as a design priority.

The free, web-based mail client at www.angelfire.com passes authentication
data in the URL.  So your authentication token hapilly gets logged if
you use a proxy server or follow a link in a mail message (via the HTTP
referrer header).

Without really bothering to look deeper, it's quite likely that the web
page editor at the same site uses the same authentication token or is
susceptible to the same bug.


- --
Dave Pifke, daveat_private



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNqPCnDuW2fOIQC3pAQHHvAP/YNBorT+DzITci/LygFmwq/2uc16Ok3rf
yyYv1YwwyAc1xVPjqE4sd74UIRTUQWX/Bsqdx0jMEo0ujJF1nPgDOx2AADAG4Gq6
06JAsNoqCQizlOQ9c4anbQE1YqwfMdFA7MAx/gKGqbagyGfd6YKSUyH8hCSHUnlr
LWNkNKwpquY=
=9boA
-----END PGP SIGNATURE-----

Next message: Kurt Seifried: "Re: Remote Cisco Identification"
Previous message: Dave Pifke: "Re: Personal web server"
Next in thread: Peter van Dijk: "Re: Another web-based mail reader hole"
Reply: Peter van Dijk: "Re: Another web-based mail reader hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:12 PDT