TUCoPS :: Web :: General :: mdaemon.txt

Alt-N MDaemon HTTP Session hijack




    Alt-N's MDaemon 2.8


    Jeroen Schipper  found following.   It is  possible to  hijack  an
    HTTP  session  from  MDaemon  /  WorldClient Standard version 2.8.
    MDaemon 2.8 comes  with WorldClient Standard  which allows you  to
    read  your  mail  using  a  browser.   When  you  receive  an HTML
    formatted page and click on a link, WorldClient sends the  session
    ID in the referrer field of the HTTP request.  This ID can then be
    used to open the users mailbox from any other location.


    Download the fix for MDaemon 2.8 and upgrade to  You will
    need MDaemon version to install this fix.

        ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patchNT.exe - NT version
        ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patch9X.exe - 9X version

    Users  of  MDaemon  version  3  should  also upgrade to the latest
    version as this problem also existed in MDaemon 3.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH