COMMAND

	IMHO webmail allows reading other users mail

SYSTEMS AFFECTED

	IMHO 0.97.x and Roxen 1.3.122

PROBLEM

	SecurityBugware was informed that :
	

	If on an IMHO based system, you :
	

	 - Login with an valid user/passwd,

	 - Logout

	 - Goto URL : (((webmail_URL)))/(old_error,plain)/mail/error?error=1

	              [if IMHO module is mounted un /mail/]

	

	You will see a error page with a referer, just  copy  and  paste  it  to
	your browser and you\'ll get the inbox contents.
	

	This works if session has not expired, and browser wasn\'t closed.

SOLUTION

	 Update

	 ======

	

	To fix the issue add the following line to Roxen configuration file  and
	reload Roxen :
	

	Global Variables -> Show the internals : No

	

	

	Note that although CAMAS was initially an IMHO fork, it is unafected  by
	the bug.