SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   eXtended Account Managing Software (XAMS) Vendors:   Hofstetter, Philip and Siegmar, Oliver
eXtended Account Managing Software (XAMS) E-mail Account Management Software Has Access Control Flaw That May Let Remote Administrators Edit Users and Aliases Belonging to Other Administrators
SecurityTracker Alert ID:  1003119
SecurityTracker URL:  http://securitytracker.com/id/1003119
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 5 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.0.4 and prior versions
Description:   A vulnerability was reported in the eXtended Account Managing Software (XAMS) package for managing email accounts across multiple sites and domains. A valid remote user may be able to edit users and aliases of a different domain.

It is reported that a remote Site Administrator with a valid account on the application could edit 'foreign' users and aliases without authorization.

Impact:   A valid remote user with site administration privileges may be able to edit users and aliases belonging to a different domain that the user is not authorized to edit.
Solution:   The vendor has released a fixed version (0.0.5), available at:

http://www.xams.org/download.html

Vendor URL:  www.xams.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  eXtended Account Managing Software (XAMS)


http://www.xams.org/

2002-01-03  Oliver Siegmar  Oliver.Siegmar@xams.org
    * More work on OOP-Stuff
    + Added more formular-checking capability
    + More usability in System Overview
    * Fixed bug in user overview
    * Fixed security issue where SiteAdmins could edit
      'foreign' users/aliases
    * Corrected search-behaviour
    * Corrected List-SiteAdmin-Sites if he is not
      responsible for anything
    + Finally added support for MaxAddr, MaxAliases
      and AddrType on site level - so SiteAdmin
      can't add Users independend of this settings


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC