8th Oct 2002 [SBWID-5738]
COMMAND
ArGoSoft Mail Server Pro script injection
SYSTEMS AFFECTED
ArGoSoft Mail Server Pro, tested on version 1.8.1.9
PROBLEM
Francisco Claude [zorbas@systat.cl] says :
it is posible to execute javascript by sending it inside a mail,
ArGoSoft does not filter that, and you can steal the cookie from the
user, the cookie has a problem too, it saves the username and the
password in plain text, you have only to decode the cookie, and you
have something like that:
mail@domain:password
SOLUTION
desactivate de Web-Mail interface until a patch is released.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
