lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Nov 2003 02:18:04 +0100 (CET)
From: Vincenzo Ciaglia <>
Subject: PCL-0002: Session Hijacking in "Sqwebmail"


PCL-0002: Session Hijacking in "Sqwebmail"

PuCCiOLAB.ORG Security Advisories                                       Vincenzo Ciaglia
November 18th, 2003

Package        : Sqwebmail
Vendor         : Inter7
Vulnerability  : access to private account without login, session
Problem-Type   : remote
risk           : low
Version        : All the version seems to be affected.
Official Site  :
N Advisories  : 0002

About Sqwebmail
SqWebMail is a web CGI client for sending and receiving E-mail using
Maildir mailboxes. SqWebMail DOES NOT support
traditional Mailbox files, only Maildirs. This is the same webmail server
that's included in the Courier mail server,
but packaged independently. If you already have Courier installed, you do
not need to download this version.

Proof of concepts
An attacker could send an email to a victim who used SQWEBMAIL, to get the
victim to visit a website, which then logs all
available information about the victim's system.


In this example, the victim has visualized our website reading the mail
that we have sent to him. Visiting the link is been
marked from our counter. Now we will be able to access to the victim's
mail page admin and will be able to read and to send, calmly,
its email without make login. The session comes sluice after approximately
20/30 minutes and the attacker has the time
to make its comfortable ones.

What could make a attacker?
Read, write and fake your e-mail. Could send , from you email address, a
mail to your ISP and ask it User e PASS of your
website. The consequences would be catastrophic.

What I can do ?
Actually seems that there isn't a patch for this problem.

Suggestion to SQWEBMAIL
It would have to reduce the time for the closing of the sessions.

Vincenzo Ciaglia

Powered by blists - more mailing lists