IceWarp WebMail Static Session ID Arbitrary Account Hijack

2002-02-09T00:00:00
ID OSVDB:8526
Type osvdb
Reporter OSVDB
Modified 2002-02-09T00:00:00

Description

Vulnerability Description

Web Mail contains a flaw that may allow a malicious user to hijack user accounts. The issue is triggered when a static identifier, which is used as a user session ID, is extracted from a URL. It is possible that the flaw may allow a privilege escalation resulting in a loss of confidentiality and integrity.

Solution Description

Upgrade to version 4.2.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: decrease the timeout value for the session ID. In the include.html file, find the default value of 240 and set it to a lower value.

Short Description

Web Mail contains a flaw that may allow a malicious user to hijack user accounts. The issue is triggered when a static identifier, which is used as a user session ID, is extracted from a URL. It is possible that the flaw may allow a privilege escalation resulting in a loss of confidentiality and integrity.

References:

Security Tracker: 1003495 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=101328887821909&w=2 ISS X-Force ID: 9807 CVE-2002-0258