Warning for anyone using Network Solutions for webmail
I run a referrer site.
it spits out a list of referrers to any site the code is on. Today I looked and noticed a link that said inbox. Being curious I clicked it. To my disgusting surprise, the URL contained the SID (session ID) and with no security took me directly to the users inbox. No username, password, etc because Netsol's webmail has extremely weak security in their programming.
It surprises me, honestly, this method isn't used much anymore for this exact reason..
Anyway, just a note, anyone using them for email should immediately stop. I grabbed the user's email address and sent him an email explaining this. What had happened was someone sent him an email with a link to my website. Since he was using webmail it came across just like a referrer.
Mods if you want proof of concept let me know and I'll re-create the problm.
FYI I added a filter to dump any link that says 'inbox' from now on, but the vulnerability is there none the less.
Last edited by sirius; 01-04-2007 at 11:03 PM.
Show your reciprocal links on your website. eReferrer