Emurl 2.0 Exposes Users Mailboxes Reported May 15, 2000 by Pierre Benoit
Emurl allows Web-based access to user mailboxes via an encoded URL. Due to a flaw in the product design, a user who can properly encode a user account number can also access any mailbox on the system without the use of a password. Furthermore, if identical mailboxes exist on two or more systems, the same URL could be used to access the mailbox on all those systems. A typical Emurl would appear as follows: \[ wrapped \] \[ wrapped \] The following code with generate an account number for a given mailbox name: print "Enter your ID: "; VENDOR RESPONSE SeattleLab is aware and the issue released an updated version that corrects the problems. CREDITS |
Emurl 2.0 Exposes Users" Mailboxes
0 comments
Hide comments