Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   eXtended Account Managing Software (XAMS) Vendors:   Hofstetter, Philip and Siegmar, Oliver
eXtended Account Managing Software (XAMS) E-mail Account Management Software Has Access Control Flaw That May Let Remote Administrators Edit Users and Aliases Belonging to Other Administrators
SecurityTracker Alert ID:  1003119
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 5 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.0.4 and prior versions
Description:   A vulnerability was reported in the eXtended Account Managing Software (XAMS) package for managing email accounts across multiple sites and domains. A valid remote user may be able to edit users and aliases of a different domain.

It is reported that a remote Site Administrator with a valid account on the application could edit 'foreign' users and aliases without authorization.

Impact:   A valid remote user with site administration privileges may be able to edit users and aliases belonging to a different domain that the user is not authorized to edit.
Solution:   The vendor has released a fixed version (0.0.5), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  eXtended Account Managing Software (XAMS)

2002-01-03  Oliver Siegmar
    * More work on OOP-Stuff
    + Added more formular-checking capability
    + More usability in System Overview
    * Fixed bug in user overview
    * Fixed security issue where SiteAdmins could edit
      'foreign' users/aliases
    * Corrected search-behaviour
    * Corrected List-SiteAdmin-Sites if he is not
      responsible for anything
    + Finally added support for MaxAddr, MaxAliases
      and AddrType on site level - so SiteAdmin
      can't add Users independend of this settings


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC