Shockro,
The danger is also in variables. Pretend that I get you to click on this
link from within your custom intranet mail app.
http://intranet.example.com/mailbox.asp?action=forward&item=all&[EMAIL PROTECTED]
It would forward all of your mail to [EMAIL PROTECTED] This would work
because you already have a session with mailbox.asp.
Of course mailbox.asp is fake but you get the idea.
-Cassius
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
