Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch IMail Server Discloses Authentication Tokens to Remote Users Letting Remote Users Access Other User Accounts
SecurityTracker Alert ID:  1003777
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 10 2002
Impact:   Disclosure of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.05 or earlier
Description:   A vulnerability was reported in Ipswitch's IMail server. A remote user can access another IMail user's account.

Eye on Security reported a vulnerability in IMail. A remote user can send an HTML e-mail message to a target (victim) user that contains an image located on another server. Then, when the target user receives the message, the target user's web browser will retrieve the image and provide the referring URL. The referring URL will contain a session authentication code from the IMail server. This URL can be used to access the target user's account.

Impact:   A remote user can access another user's e-mail account.
Solution:   The vendor has released a fix (7.06). This version reportedly checks to ensure that the unique URL (including a session authentication ID) and the IP address are valid.
Vendor URL: (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] IMail Account hijack through the Web Interface

Advisory Title: IMail Account hijack through the Web Interface
Release Date: 10/03/2002
Application: IMail Server

Platform: Windows NT4
          Windows 2000
          Windows XP

Version: 7.05 or earlier

Severity: Malicious users can easily access other people's accounts.

Author: Obscure^ [ ]

Vendor Status: Informed on 21 Feb 2002, a fix was already issued to



(extracted from

The 20-Minute E-Mail Solution.
IMail Server is an easy-to-use, web-enabled, secure and
mail server for Windows NT/2000/XP. It is the choice
of businesses, schools, and service providers.

A Great Price-Performer.
deploy and cumbersome to administer, IMail Server is easy
to install and easy to manage. It has a simple pricing structure and
is scalable to thousands of users per server.


When a user logs in to his account through the Web interface, the
session authentication is maintained via a unique URL.
By sending an html e-mail which includes an image at another server,
an attacker can easily get the unique URL via the
referer field in the HTTP header.

Exploit Example.
A CGI script sends an e-mail with an attached image, pointing to
another CGI script which sends the referer URL to the


Upgrade to IMail 7.06. The fixed version checks for the IP. The
authentication now relies on the unique URL and the IP
address. Of course users who log in to IMail Web interface from
proxies, are still vulnerable.

ps. this same vulnerability effects Excite WebMail. The Excite guys
did not contact me back.


The information within this document may change without notice. Use
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's


Please send suggestions, updates, and comments to:

Eye on Security
mail :
web  :


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC