COMMAND

    mail2web

SYSTEMS AFFECTED

    mail2web web-based emailservice

PROBLEM

    Patrick  Oonk  posted  following.   His  collegue  Roy  Froma  was
    checking a httpd-log while debugging a web site script, and saw  a
    strange looking referer in  the log.  When  he copied this URL  to
    his  browser,  he  was  suddenly  reading  somebody  elses   mail.
    Apparently this person had  clicked on a link  to the site in  his
    email.  The URL looked like this:

        http://www.mail2web.com/cgi-bin/readmsg.asp?listdirection=-1&listperpage=10&msgnumber=1&abc=VERYLONGSTRINGGOINGONFORAGES

    After about five minutes the authentication expired, maybe due  to
    the legitimate  owner of  the mail  logging off  from the service.
    Mail2web  seems  to  be  some  kind of pop-to-web gateway, offered
    by the webhosting service Softcom.

    Nice quote  from the  Mail2web site:  "Mail2Web lets  you to  have
    control on  your email  without the  hassle.   Your activities are
    private and none of them are being recorded."

SOLUTION

    Vendor notified.