Norman,
Wednesday, March 20, 2002 you wrote:
NJN> I don't know if there are any other conclusions that can be
NJN> drawn, but to me this points to someone who knows nothing about
NJN> iMail and just wanted to try to get a few kicks.
A lot of people, myself included, use various "public" e-mail
accounts when we are uncertain just where our e-mail might be
sent.
NJN> A round of "I'm sorry"'s all around to anyone who was offended by
NJN> my (including, but not limited to) comments, posts, rantings,
NJN> HTML emails, stats, web page colors, and/or disposition.
Actually my own opinion is that you are to be thanked and
congratulated for finding the problem and reporting it. I
certainly tested it both from your test page and from my own test
program and I found that you were exactly correct. It is a
significant vulnerability.
Other security vulnerabilities have been reported on this forum.
One that I do not believe has been fixed yet by IPSWITCH has to
do with using a % sign address sent to a secondary mail server
for IMAIL. Scott Perry has a provision in declude which handles
this so I have not been too concerned about it. However, I have
stopped a few messages that were indeed attempting to take
advantage of the vulnerability. I know this was reported to IMAIL
but I do not believe it has been corrected.
So I appreciate the fact that you posted the information to the
list. At least I can decide if I want to respond to the
vulnerability myself.
Terry Fritts
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
