Alt-N MDaemon Session ID Hijacking Vulnerability
BID:1553
Info
Alt-N MDaemon Session ID Hijacking Vulnerability
| Bugtraq ID: | 1553 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 09 2000 12:00AM |
| Updated: | Aug 09 2000 12:00AM |
| Credit: | Posted to NTBugtraq on August 9, 2000 by Jeroen Schipper <[email protected]>. |
| Vulnerable: |
Alt-N MDaemon 2.8 |
| Not Vulnerable: | |
Discussion
Alt-N MDaemon Session ID Hijacking Vulnerability
WorldClient is an email client which accompanies Alt-N's MDaemon email server. WorldClient is capable of reading HTML formatted email messages. However, this lends itself to the possibility of session ID hijacking because whenever an email recipient clicks on a link, the session ID is relayed back to the address in the referrer field of the HTTP request. The session ID could then be used to read the email of the remote user.
WorldClient is an email client which accompanies Alt-N's MDaemon email server. WorldClient is capable of reading HTML formatted email messages. However, this lends itself to the possibility of session ID hijacking because whenever an email recipient clicks on a link, the session ID is relayed back to the address in the referrer field of the HTTP request. The session ID could then be used to read the email of the remote user.
Exploit / POC
Alt-N MDaemon Session ID Hijacking Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Alt-N MDaemon Session ID Hijacking Vulnerability
References:
References:
- MDaemon POP3/SMTP Server for Windows (Alt-N)
- Session hijacking in Alt-N's MDaemon 2.8 (Jeroen Schipper