Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5537.htm

IMHO webmail allows reading other users mail



15th Jul 2002 [SBWID-5537]
COMMAND

	IMHO webmail allows reading other users mail

SYSTEMS AFFECTED

	IMHO 0.97.x and Roxen 1.3.122

PROBLEM

	SecurityBugware was informed that :
	

	If on an IMHO based system, you :
	

	 - Login with an valid user/passwd,

	 - Logout

	 - Goto URL : (((webmail_URL)))/(old_error,plain)/mail/error?error=1

	              [if IMHO module is mounted un /mail/]

	

	You will see a error page with a referer, just  copy  and  paste  it  to
	your browser and you\'ll get the inbox contents.
	

	This works if session has not expired, and browser wasn\'t closed.

SOLUTION

	 Update

	 ======

	

	To fix the issue add the following line to Roxen configuration file  and
	reload Roxen :
	

	Global Variables -> Show the internals : No

	

	

	Note that although CAMAS was initially an IMHO fork, it is unafected  by
	the bug.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH