SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server POP3 Daemon Discloses Information on Username Validity to Remote Users and Lets Valid Remote Users Change Account Names of Other Users
SecurityTracker Alert ID:  1002536
SecurityTracker URL:  http://securitytracker.com/id/1002536
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 12 2001
Impact:   Denial of service via network, Disclosure of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.04
Description:   A vulnerability was reported by ntsecurity.nu in the Ipswitch IMail Server. The POP3 server provides an indication to remote users as to whether a username is valid or not. The web messaging interface allows valid and authenticated remote users to change other users' account names.

One vulnerability was reported with the POP3 server and another with the web interface.

If a remote user supplies a valid username to the POP3 daemon, the server reportedly replies with the following:

+OK welcome

If a remote user supplies an invalid username (i.e., one that does not exist on the server) to the POP3 daemon, the server reportedly replies with the following:

+OK send your password

This information disclosure enables a remote user to probe the server for valid account names.

On the Web Messaging Server, a valid and authenticated remote user can change the user name of another account. This is possible because the server reportedly trusts the "olduser" hidden HTML INPUT tag in the "Change User Information" web form as being valid. The remote user can change the "olduser" value and submit the FORM with the malicious value to change the "olduser" account name to a different name.

Impact:   A remote user can determine whether a particular account name exists on the server. A valid and authenticated remote user can change any other user's accountname, providing a denial of service condition.
Solution:   The vendor has reportedly made a patch available at the Vendor URL.
Vendor URL:  www.ipswitch.com/support/IMail/patch-upgrades.html (Links to External Site)
Cause:   Authentication error, Input validation error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: Ipswitch's IMail Server POP3 Daemon Discloses Information on Username Validity to Remote Users and Lets Valid Remote Users Change Account Names of Other Users
A user indicates that some previous version are also vulnerable.



 Source Message Contents

Subject:  Vulnerabilities in Ipswitch IMail Server 7.04


Hi all,

There are a couple of vulnerabilities in Ipswitch IMail Server 7.04.


*** In the POP3 Server ***

If you enter a valid username the reply is:

+OK welcome

On the other hand, if you enter a username that doesn't exist on the server
the reply is:

+OK send your password

This gives you a way to probe for existing accounts on the server.


*** In the Web Messaging Server ***

Log in on one account in the Web Messaging Server and Select Change User
Information. Save the HTML page on disk and change the value of the hidden
INPUT tag called "olduser" to the name of another account. You also have to
change the ACTION value of the FORM tag so it points to the server, and it
must also contain the random string that you find in the URL to the ordinary
page. Then load this changed page into the browser, fill in some new user
information and click on the Save button. This way you can change the user
information for any other user.


*** Vendor response ***

Ipswitch have created a patch that among other things fix these two
vulnerabilities. You can find it at:
http://www.ipswitch.com/support/IMail/patch-upgrades.html


*** Other information ***

This advisory can also be found at:
http://ntsecurity.nu/advisories/a16.shtml


Regards /Arne Vidstrom, http://ntsecurity.nu

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC