[16403] in bugtraq
Re: Accounts easily compromised on Critical Path web mail
daemon@ATHENA.MIT.EDU (Michael Serbinis)
Sat Aug 26 02:20:23 2000
Message-Id: <20000825221341.12959.qmail@securityfocus.com>
Date: Fri, 25 Aug 2000 22:13:41 -0000
Reply-To: Michael Serbinis <ms@CP.NET>
From: Michael Serbinis <ms@CP.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0008212241080.18682-100000@piglet>
It was recently reported on Bugtraq that a loophole was
found in Critical Path�s Webmail product. Upon identifying
this bug, Critical Path�s team quickly developed and
implemented a bug fix. Action was
taken immediately and the patch was rolled into production
after the proper quality assurance reviews were conducted.
Critical Path has now modified the way cookies are used in
its Webmail product, improving security for all its
customers. Cookies will change every time a user logs in,
being session specific. All sessions initiated with out-of-
date or invalid cookies will be ignored. In addition, the
web mail software escapes html/script entities to prevent
malicious code from affecting user security.
None of Critical Path�s customers experienced any impact
from this bug. The fact remains that security will
continue to be an ongoing challenge for any company on or
associated with the Internet. Critical Path will continue
to maintain the high security standards that its customers
expect.
