Hi
A vulnerability was reported in SqWebMail. A remote user can obtain a target user's session ID and hijack the target user's session.
http://www.securitytracker.com/alerts/2003/Nov/1008227.html
IMHO this vulnaribility could not happen when you mark 'remember IP-Address' when you log into SQWebmail. Is this right?
Correct. Furthermore all HTTP links are sent through a redirector, for the explicit purpose of getting rid of the referral header. See SECURITY.
A follow-up message to that post indicated that the claim could not be reproduced. If the original poster found a way around the HTTP redirector, he didn't provide any sufficient details.
It could also be a browser-specific issue, where the browser keeps the original Referrer: header even after a forced refresh.
Is a patch in sight?
Not until there's a clear evidence of a problem.
pgp00000.pgp
Description: PGP signature
