Anthony Baratta wrote:

For those that use SqWebMail...this came across BugTraq.

What could make a attacker?
Read, write and fake your e-mail. Could send , from you email address, a
mail to your ISP and ask it User e PASS of your
website. The consequences would be catastrophic.

What I can do ?
Actually seems that there isn't a patch for this problem.

Suggestion to SQWEBMAIL
It would have to reduce the time for the closing of the sessions.

Well, either that, or use cookies, and drop it totally. Or use the session ID as used now, but check the IP for a returning visitor that does not have a cookie set.

Thus now they cannot do this anymore.


Reply via email to