Webmail Security Issue

**edfortmiller** · 01-08-2004 01:17 PM

If I do http://domain.com/webmail I get prompted for a name and password and then get dispatched to: http://domain.com:2095/ which tells me I'm logged in and gives me the choice of 3 webmail applications. I choose SquirrelMail and do my thing. I then hit SignOut and I get told that I've successfully signed out.

But I'm not really signed out. If I were at a Public Terminal all a person behind me would have to do is come and hit the browser back button twice and they are back at my cPanel Email management window fully logged in and where they could get at my email or even forward my email using the Forward Options. In fact short of killing the browser off and restarting it you appear to always be logged in. If you are at a public terminal there most likely is not a way to kill the browser off. Even if I close the browser window and come back and do http://domain.com/webmail I'm still logged in.

To me this is a major security issue and would prevent me from using webmail to access my mail while at a public terminal where I cannot kill and restart the browser.

Is there a solution or a work around for this webmail security problem?

**majidalam** · 01-11-2004 03:28 AM

I am also looking solution for this .
anyhelp highly appricated.
chao

**cortices** · 01-11-2004 03:35 AM

Older versions of Mozilla had problems recognizing a logout. However, closing the browser *always* logged me out, no matter what. Make sure that the browser is actually closed. That means *all* the browser windows and associated programs.

**majidalam** · 01-11-2004 04:17 AM

this is the problem .
some time other webmail software are set the standard and users expect this from us as well.

there is another post on this
http://forums.cpanel.net/showthread....bmail+security

I am going to test above post if its work for me.

Chao!

**majidalam** · 01-12-2004 12:56 AM

neomail also have same flaw,when u press back after logout ,it shows all emails.

Any body help

Chao!

**edfortmiller** · 01-12-2004 08:34 AM

Originally posted by cortices
Older versions of Mozilla had problems recognizing a logout. However, closing the browser *always* logged me out, no matter what. Make sure that the browser is actually closed. That means *all* the browser windows and associated programs.

I tried this with Internet Explorer and the problem exists with that also.

The issue is when using a browser at a public location there usually is no way to close the browser down and restart it which means there is a SERIOUS SECURITY PROBLEM.

In the meantime it looks like the only solution to this security problem is to forward email to a Yahoo account (or other service) when traveling which allows one to log out without requiring the browser to be killed off.

A way to log off of the cPanel Mail Management window needs to be implemented.

**cortices** · 01-12-2004 01:57 PM

Yeah, that's a good point I hadn't considered. I was surprised to find that Webmail did not have a logout link. I wonder if such a script exists, just not linked inside the theme?

LinkBack

Thread Tools

Webmail Security Issue

HTML mail issue - Webmail Issue

Help!! Security Issue?

Webmail Security Issue?

Webmail security issue

Possible security issue