TUCoPS :: Web :: General :: mdaemon.txt

Alt-N MDaemon HTTP Session hijack

COMMAND

    MDaemon

SYSTEMS AFFECTED

    Alt-N's MDaemon 2.8

PROBLEM

    Jeroen Schipper  found following.   It is  possible to  hijack  an
    HTTP  session  from  MDaemon  /  WorldClient Standard version 2.8.
    MDaemon 2.8 comes  with WorldClient Standard  which allows you  to
    read  your  mail  using  a  browser.   When  you  receive  an HTML
    formatted page and click on a link, WorldClient sends the  session
    ID in the referrer field of the HTTP request.  This ID can then be
    used to open the users mailbox from any other location.

SOLUTION

    Download the fix for MDaemon 2.8 and upgrade to 2.8.7.5.  You will
    need MDaemon version 2.8.5.0 to install this fix.

        ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patchNT.exe - NT version
        ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patch9X.exe - 9X version

    Users  of  MDaemon  version  3  should  also upgrade to the latest
    version as this problem also existed in MDaemon 3.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH