Here's a bugreport and a fix for MDaemon 2.8.
It is possible to hijack an HTTP session from MDaemon / WorldClient Standard version 2.8
MDaemon 2.8 comes with WorldClient Standard which allows you to read your mail using a browser. When you receive an HTML formatted page and click on a link, WorldClient sends the session ID in the referrer field of the HTTP request. This ID can then be used to open the users mailbox from any other location.
Contacted and a fix was released one day after reporting the problem (compliments to Alt-N!)
Download the fix for MDaemon 2.8 and upgrade to 184.108.40.206. You will need MDaemon version 220.127.116.11 to install this fix.
ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patchNT.exe - NT version ftp://ftp.altn.com/MDaemon/Archive/2.8/md2875patch9X.exe - 9X version
Users of MDaemon version 3 should also upgrade to the latest version as this problem also existed in MDaemon 3. It was fixed a few months ago.
-- :: http://www.let.uu.nl/~Jeroen.Schipper, Network Administrator :: Utrecht University, Center for Information Technology and Multimedia :: Office: KNG80, k2.09 / Phone/fax: +31(30) 253 6031 / 9191
Upgrade your server security to 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n046607800016000