Security hole in mail2web web-based emailservice

[patrick () PINE NL (Patrick Oonk)]

Hi,

My collegue Roy Froma was checking a httpd-log while debugging a
web site script, and saw a strange looking 
referer in the log. When he copied this URL to his browser, he was 
suddenly reading somebody elses mail.  Apparently this person had 
clicked on a link to our site in his email. 

The URL looked like this (wrapped for readability):
http://www.mail2web.com/cgi-bin/readmsg.asp?listdirection=-1
&listperpage=10&msgnumber=1&abc=VERYLONGSTRINGGOINGONFORAGES

After about five minutes the authentication expired, maybe due to the 
legitimate owner of the mail logging off from the service.

Mail2web seems to be some kind of pop-to-web gateway, offered
by the webhosting service Softcom.

Nice quote from the Mail2web site: "Mail2Web lets you to have control on
your email without the hassle. Your activities are private and none of 
them are being recorded."

They have been notified.

        Patrick

-- 
 Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick
 Pine Internet B.V.      GOAT666-RIPE          PGP key ID BE7497F1  
 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
 ----    Pine Security Digest - http://security.nl/ (Dutch)   ----
 Excuse of the day: Your excuse is: The electricity substation in
 the car park blew up.


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>