On Mon, 17 Nov 2003 11:14:24 -0800
Anthony Baratta <[EMAIL PROTECTED]> wrote:

> For those that use SqWebMail...this came across BugTraq.
> 
> >Date: Tue, 18 Nov 2003 02:18:04 +0100 (CET)
> >From: Vincenzo Ciaglia <[EMAIL PROTECTED]>
> >To: [EMAIL PROTECTED]
> >Subject: PCL-0002: Session Hijacking in "Sqwebmail"
> >
> >---------------------------
> >PUCCIOLAB.ORG - ADVISORIES
> ><http://www.pucciolab.org>
> >---------------------------
> >
> >PCL-0002: Session Hijacking in "Sqwebmail"

[snip]

> >Example:
> >-------------------
> >MY STAT FOR MY WEBSITE - REFERENT DOMAIN
> >http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trash&form=folders
> >
> >
> >In this example, the victim has visualized our website reading the mail
> >that we have sent to him. Visiting the link is been
> >marked from our counter. Now we will be able to access to the victim's
> >mail page admin and will be able to read and to send, calmly,
> >its email without make login. The session comes sluice after approximately
> >20/30 minutes and the attacker has the time
> >to make its comfortable ones.

I haven't tried this, but I was under the impression that the "Restrict access to your 
IP address only (increased security)" - option specifically avoided the problem of 
session-hijacking.
Also, I thought that sqwebmail used to "escape" outbound hyperlinks via a special 
URL-forwarder (which often didn't work in some browsers)., with the only intent to 
cloak the referrer.

Is this all useless ?




Rainer

Reply via email to