Ipswitch's IMail Server POP3 Daemon Discloses Information on Username Validity to Remote Users and Lets Valid Remote Users Change Account Names of Other Users
SecurityTracker Alert ID: 1002536|
SecurityTracker URL: http://securitytracker.com/id/1002536
(Links to External Site)
Date: Oct 12 2001
Denial of service via network, Disclosure of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported by ntsecurity.nu in the Ipswitch IMail Server. The POP3 server provides an indication to remote users as to whether a username is valid or not. The web messaging interface allows valid and authenticated remote users to change other users' account names.|
One vulnerability was reported with the POP3 server and another with the web interface.
If a remote user supplies a valid username to the POP3 daemon, the server reportedly replies with the following:
If a remote user supplies an invalid username (i.e., one that does not exist on the server) to the POP3 daemon, the server reportedly replies with the following:
+OK send your password
This information disclosure enables a remote user to probe the server for valid account names.
On the Web Messaging Server, a valid and authenticated remote user can change the user name of another account. This is possible because the server reportedly trusts the "olduser" hidden HTML INPUT tag in the "Change User Information" web form as being valid. The remote user can change the "olduser" value and submit the FORM with the malicious value to change the "olduser" account name to a different name.
A remote user can determine whether a particular account name exists on the server. A valid and authenticated remote user can change any other user's accountname, providing a denial of service condition.|
The vendor has reportedly made a patch available at the Vendor URL.|
Vendor URL: www.ipswitch.com/support/IMail/patch-upgrades.html (Links to External Site)
Authentication error, Input validation error, State error|
|Underlying OS: Windows (NT), Windows (2000)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Vulnerabilities in Ipswitch IMail Server 7.04|
There are a couple of vulnerabilities in Ipswitch IMail Server 7.04.
*** In the POP3 Server ***
If you enter a valid username the reply is:
On the other hand, if you enter a username that doesn't exist on the server
the reply is:
+OK send your password
This gives you a way to probe for existing accounts on the server.
*** In the Web Messaging Server ***
Log in on one account in the Web Messaging Server and Select Change User
Information. Save the HTML page on disk and change the value of the hidden
INPUT tag called "olduser" to the name of another account. You also have to
change the ACTION value of the FORM tag so it points to the server, and it
must also contain the random string that you find in the URL to the ordinary
page. Then load this changed page into the browser, fill in some new user
information and click on the Save button. This way you can change the user
information for any other user.
*** Vendor response ***
Ipswitch have created a patch that among other things fix these two
vulnerabilities. You can find it at:
*** Other information ***
This advisory can also be found at:
Regards /Arne Vidstrom, http://ntsecurity.nu