TUCoPS :: Web :: Apps :: mail2web.htm

Mail2web - read other peoples' email! 
Vulnerability

    mail2web

Affected

    mail2web web-based emailservice

Description

    Patrick  Oonk  posted  following.   His  collegue  Roy  Froma  was
    checking a httpd-log while debugging a web site script, and saw  a
    strange looking referer in  the log.  When  he copied this URL  to
    his  browser,  he  was  suddenly  reading  somebody  elses   mail.
    Apparently this person had  clicked on a link  to the site in  his
    email.  The URL looked like this:

        http://www.mail2web.com/cgi-bin/readmsg.asp?listdirection=-1&listperpage=10&msgnumber=1&abc=VERYLONGSTRINGGOINGONFORAGES

    After about five minutes the authentication expired, maybe due  to
    the legitimate  owner of  the mail  logging off  from the service.
    Mail2web  seems  to  be  some  kind of pop-to-web gateway, offered
    by the webhosting service Softcom.

    Nice quote  from the  Mail2web site:  "Mail2Web lets  you to  have
    control on  your email  without the  hassle.   Your activities are
    private and none of them are being recorded."

Solution

    Vendor notified.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH