BID:9807

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

Info

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

Bugtraq ID:	9807
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 04 2004 12:00AM
Updated:	Mar 04 2004 12:00AM
Credit:	Discovery of this vulnerability has been credited to Ian Koch.
Vulnerable:	DAWKCo POP3 Server Hosting Version w/t WebMAIL Extension. 6.1

Not Vulnerable:	DAWKCo POP3 Server Hosting Version w/t WebMAIL Extension. 6.2

Discussion

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

It has been reported that DAWKCo POP3 Server Hosting Version with WebMAIL Extension does not properly handle timed out sessions. Because of this, it may be possible for a user regain access to a previous session.

This could potentially expose sessions, especially in situations where other vulnerabilities facilitate session hijacking.

Exploit / POC

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

There is no exploit required.

Solution / Fix

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

Solution:
The vendor has reported that all customers have received an update to address this issue. Customers who have not received this update are advised to contact the vendor at the following address: [email protected]. This update is also included in DAWKco POP3 Server Hosting Version w/t WebMAIL Extension version 6.2.

References

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

References:

DAWKCo POP3 Server with WebMAIL Extension Homepage (DAWKCo)