|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Z0rbaS (zorbas_at_systat.cl)
Date: Sun Oct 06 2002 - 22:05:14 CDT
ArGoSoft Web-Mail security problem.
A vulnerability affects ArGoSoft Mail Server Pro for WinNT/2000/XP
(Version 1.8.1.9)
I did not test other versions, this is the only I have, but others should be
vulnerable too. The problem is in the Web-Mail interface, it is posible to
execute javascript by sending it inside a mail, ArGoSoft does not filter
that, and you can steal the cookie from the user, the cookie has a problem
too, it saves the username and the password in plain text, you have only to
decode the cookie, and you have something like that:
mail
domain:password
I would desactivate de Web-Mail interface until a patch is released.
Francisco Claude
zorbassystat.cl
P.S. Sorry for my bad english.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]