Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Mail : Discussion :

Is This Taken Care Of On GM?

Jan 14, 2003, 6:05 AM
anup123
Veteran (1290 posts)
Jan 14, 2003, 6:05 AM
Post #1 of 6
Views: 2957
Shortcut
Quote Reply
Is This Taken Care Of On GM?
Hi,

Just wanted to know if the GM ws free from security vulnerabilities as listed for certain webmails in following article:

http://www.security-express.com/...aq/2000-01/0135.html

I may sound stupid, but due to server being compromised recently, looks like slapper worm, I am exploring all security vulnerabilities.....I know slapper may have nothing to do with GM but yes it is in context of the article refered to above that I have posted this....

Thnx

Anup

Last edited by:

anup123: Jan 14, 2003, 6:19 AM
Jan 20, 2003, 9:19 AM
anup123
Veteran (1290 posts)
Jan 20, 2003, 9:19 AM
Post #2 of 6
Views: 2867
Shortcut
Quote Reply
Re: [anup123] Is This Taken Care Of On GM? In reply to
Hi,

I am sure I would get comments on the subject from Experts. I am a Novice on this so no wonder I posted this query here. Hope I am in the right Forum with a pertinent question....

Thnx

Anup
Jan 20, 2003, 3:36 PM
Alex
Administrator (9387 posts)
Jan 20, 2003, 3:36 PM
Post #3 of 6
Views: 2856
Shortcut
Quote Reply
Re: [anup123] Is This Taken Care Of On GM? In reply to
Hi,

Sorry about the late reply! Gossamer Mail is not affected by the referenced issue if you are using cookies for sessions. By default Gossamer Mail only stores your session id in a cookie, but if you have cookies disabled (you can tell this by seeing s=a_session_id_string in the URL), then it might be possible that an html email could reference an image that would log your cookie.

Cheers,

Alex
--
Gossamer Threads Inc.
Jan 21, 2003, 5:36 AM
anup123
Veteran (1290 posts)
Jan 21, 2003, 5:36 AM
Post #4 of 6
Views: 2857
Shortcut
Quote Reply
Re: [Alex] Is This Taken Care Of On GM? In reply to
Hi Alex,

Correct me if I am wrong. In case the WAP utility has to function then in setup, the Cookies have to be OFF and all the Cookie Option has to be removed from the User Forms.

In that case, does it mean that GM is Vulnerable (with WAP Support Functional).....If it is then How does one have a setup where WAP utility functions without the Vulnerability....

Thnx

Anup
Jan 21, 2003, 11:34 AM
Alex
Administrator (9387 posts)
Jan 21, 2003, 11:34 AM
Post #5 of 6
Views: 2823
Shortcut
Quote Reply
Re: [anup123] Is This Taken Care Of On GM? In reply to
Somewhat. WAP won't display HTML mail, so it won't reference images on a remote server, thereby passing the session id in the referer. Also, I'm not 100% sure if you can click through links on an email anyway, so the referer isn't passed there either.

Cheers,

Alex
--
Gossamer Threads Inc.
Jan 21, 2003, 12:03 PM
anup123
Veteran (1290 posts)
Jan 21, 2003, 12:03 PM
Post #6 of 6
Views: 2813
Shortcut
Quote Reply
Re: [Alex] Is This Taken Care Of On GM? In reply to
Hi Alex,

I think I was not able to frame the query explicity.

Quote:
By default Gossamer Mail only stores your session id in a cookie, but if you have cookies disabled (you can tell this by seeing s=a_session_id_string in the URL), then it might be possible that an html email could reference an image that would log your cookie.

With WAP Utility To Be functional, The Admin sets Cookie To OFF. So Cookies are Disabled...

Now with Web Access Of Mail (forget ab the WAP), does it mean that GM is Vulnerable. I know html does not work in WAP...it's plain text....

Greetings
Anup