News Web Server Security Phishing Database Security Application Server Security Library Vulnerability Archive Secure Development Web Services Pen Test AJAX Application Firewalls
Archive -> Mail
TOPIC'S
Advertising
Old News
About
Resume
Contact
FAQ
Irc
Links
Articles
Translate
Interviews
Commentary
Books
Demos
Papers
Downloads
Advisories
Contributions
Security Services
Submit News
Syndicated News


Hosting generously provided by
www.mv.com




Pick Your Language


Session Hijacking Vulnerability in Icewarp
From: "Huseyin Uslu" <raistlinthewiz@hotmail.com>
To: bugtraq@securityfocus.com
Subject: Security Issue in Icewarp
Date: Sat, 09 Feb 2002 19:46:42 +0200

Icewarp is one the world's most used web mail software. It's another product of Merak Mail developers.

There is an seccurity issue in Icewarp.

It's like this:

When you create a new user , icewarp gives him a static number. If this user does not logout after checking his inbox you can access his inbox.

I wrote this issue to developers of Icewarp they said me to increase the timeout value. In standart installation timeout value is defaulty very large. They said they don't think to use cookie system.

Here is how to use this issue:

Let's say that our users static number is 098d0f444ec627534540ac4f02f29fh7 if the user does not signout and if you get this 098d0f444c627534540ac4f02f29fh7 you can access inbox before it times out.

http://anyicewarpusingsite.com/view.html?id=098d0f444c627534540ac4f02f29fh7

This id never changes.

How to get a users id?
----------------------
You must have an email account in icewarp using host. Than you can send a mail directly to user@anyicewarpusingsite.com . Wait for the reply. If it comes his id is in links (answer,forward..)


Also we know that most users in general do not signout.

So I think that this is an important issue.

Fix:
In include.html find the default value 240 and make it lower. In a support message that came from icewarps developers thay said 240 could be in minutes!!

Credits:
Hseyin Uslu, and my customer in the web host i'm working..


Notice:
Hseyin Uslu is not responsible for any usage of this security issue. Developer of this software have been informed.

-------------------------
Hseyin Uslu



External Links:
Copyright 2000-2007 Cgisecurity.com.
Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
Website Security Web Application Security solid state drives ebay cd players camera lens deals buy macbook air not work safe software security canon camera deals


Popular Links By Subject

Sponsored Link (Advertise)


Subscribe to CGISecurity.com



The Web Security Mailing List
  • Re: [WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!
  • Re: [WEB SECURITY] Nice little XSS trick
  • [WEB SECURITY] Security Vacation Guide
  • [WEB SECURITY] Lateral SQL Injection Revisited - No Special Privs Required
  • Re: [WEB SECURITY] ActivePerl
  • [WEB SECURITY] cross site trace
  • [WEB SECURITY] Web Application Security Professionals Survey (July 2008)
  • Re: [WEB SECURITY] cross site trace
  • Re: [WEB SECURITY] cross site trace
  • Re: [WEB SECURITY] cross site trace

    • Contact us
    Post News, get linkage!

    Name

    Email or Homepage:

    Subject

    Finish the word below: deadb33f

    Body