Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

ArGoSoft Web-Mail security problem

From: Z0rbaS <zorbas () systat cl>
Date: Sun, 6 Oct 2002 23:05:14 -0400
ArGoSoft Web-Mail security problem.

A vulnerability affects ArGoSoft Mail Server Pro for WinNT/2000/XP
(Version 1.8.1.9)
I did not test other versions, this is the only I have, but others should be 
vulnerable too. The problem is in the Web-Mail interface, it is posible to 
execute javascript by sending it inside a mail, ArGoSoft does not filter 
that, and you can steal the cookie from the user, the cookie has a problem 
too, it saves the username and the password in plain text, you have only to 
decode the cookie, and you have something like that:

mail@domain:password

I would desactivate de Web-Mail interface until a patch is released.


Francisco Claude
zorbas () systat cl

P.S. Sorry for my bad english.
Previous By Date Next
Previous By Thread Next

Current thread: