Bugtraq mailing list archives
Re: Another web-based mail reader hole
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Tue, 19 Jan 1999 18:45:50 +0100
On Mon, Jan 18, 1999 at 03:24:09PM -0800, Dave Pifke wrote:
-----BEGIN PGP SIGNED MESSAGE----- This bug has been fixed in most webmail clients for quite some time now, but I guess some people just don't see security as a design priority. The free, web-based mail client at www.angelfire.com passes authentication data in the URL. So your authentication token hapilly gets logged if you use a proxy server or follow a link in a mail message (via the HTTP referrer header).
Actually, squid logs those requests upto the ? by default, removing the parameter part. Greetz, Peter. -- <squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk <squeezer> hardbeat, als je nog nuchter bent: | peter () attic vuurwerk nl <squeezer> @date = localtime(time); | realtime security d00d <squeezer> $date[5] += 2000 if ($date[5] < 37); | <squeezer> $date[5] += 1900 if ($date[5] < 99); | * blah *
Current thread:
- Re: Sendmail 8.8.x/8.9.x bugware, (continued)
- Re: Sendmail 8.8.x/8.9.x bugware Frank Louwers (Jan 18)
- Win95/98 SMB Authentication Vulnerability (fwd) tschweik () FIDUCIA DE (Jan 18)
- [SECURITY] ftpwatch package has major security problems Jamie Fifield (Jan 17)
- Michal's report and sendmail-8.9.2 GvS (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Jens Hoffmann (Jan 16)
- Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 17)
- Re: Sendmail 8.8.x/8.9.x bugware John Mizzi (Jan 17)
- Personal web server kiborg (Jan 17)
- Re: Personal web server Dave Pifke (Jan 18)
- Another web-based mail reader hole Dave Pifke (Jan 18)
- Re: Another web-based mail reader hole Peter van Dijk (Jan 19)
- Personal web server kiborg (Jan 17)
- Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Nic Bellamy (Jan 19)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race Luke Mewburn (Jan 20)
- Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Alan Cox (Jan 23)
- Mirc 5.5 'DCC Server' hole Spikeman (Jan 24)
- Re: Mirc 5.5 'DCC Server' hole Sandro Jurado (Jan 26)
- Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Casper Dik (Jan 25)
- Announcement: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Alan Cox (Jan 23)