ArGoSoft Web-Mail security problem

From: Z0rbaS (zorbasat_private)
Date: Sun Oct 06 2002 - 20:05:14 PDT

Next message: Thomas Biege: "SuSE Security Announcement: mod_php4 (SuSE-SA:2002:036)"

Previous message: secureat_private: "[CLA-2002:530] Conectiva Linux Security Announcement - apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ArGoSoft Web-Mail security problem.

A vulnerability affects ArGoSoft Mail Server Pro for WinNT/2000/XP
(Version 1.8.1.9)
I did not test other versions, this is the only I have, but others should be 
vulnerable too. The problem is in the Web-Mail interface, it is posible to 
execute javascript by sending it inside a mail, ArGoSoft does not filter 
that, and you can steal the cookie from the user, the cookie has a problem 
too, it saves the username and the password in plain text, you have only to 
decode the cookie, and you have something like that:

mail@domain:password

I would desactivate de Web-Mail interface until a patch is released.


Francisco Claude
zorbasat_private

P.S. Sorry for my bad english.

Next message: Thomas Biege: "SuSE Security Announcement: mod_php4 (SuSE-SA:2002:036)"
Previous message: secureat_private: "[CLA-2002:530] Conectiva Linux Security Announcement - apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 10:38:37 PDT