Not counting SSL, there are two forms of security in the web messaging in
versions before 2K6: the "session key" and source IP checking. When a user
logged in, the web server creates a unique session key which is passed back
and forth between client and the server embedded in the links. Once the
person logs out or times out, that session key is deleted. The other form
of security is the source IP check. When a user logs in and the session key
is created, the IP address the user logged in from is also saved. Whenever
that user requests a page, the session key is validated as well as the IP
checked to make sure it matched. If both of these items matched, then the
page is served. This source IP checking sometimes presents a problem
because users from certain services like AOL hit messaging with a different
IP address every time they change pages. So, AOL users could not use the
this version of web messaging if the source IP checking is turned on. The
get around that issue, many configure the web service to ignore the source
IP check.
It sounds like this user sent you a link containing this session key, so you
were able to click on that link and see the actual message because that user
had not yet logged out. If the server had the source IP checking enabled or
was using SSL, this would have failed.
Web messaging in 2006 uses IIS and a different form of session keys so this
is not possible in 2006.
Tripp
----- Original Message -----
From: "Michael Grice" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, August 09, 2006 4:18 PM
Subject: [IMail Forum] I can read someone else's Imail account from my blog
link
This was weird. I checked my Wordpress referrer links today and one of
them was from a mail.domainname.com account. I clicked the link and it
took me into this woman's Imail message. Apparently, someone had
forwarded my blog entry to her in an email, and she clicked the link
to pass through to my site. With another click on the Menu option, I
was into her entire IMail account. I can see she has 18 messages,
using 5MB of disk space, etc.
Is this an Imail security hole? (it looks like it might be 8.5)
Did the ISP screw up when they installed this?
Do I alert them?
Or do I alert the email account holder?
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
