[NT] Account Management Vulnerabilities in Ipswitch IMail Server

From: support@securiteam.com
Date: 10/16/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Account Management Vulnerabilities in Ipswitch IMail Server
Message-Id: <20011016123118.C2EF7138C1@mail.der-keiler.de>
Date: Tue, 16 Oct 2001 14:31:18 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Account Management Vulnerabilities in Ipswitch IMail Server
------------------------------------------------------------------------

SUMMARY

IMail Server is a spam-resistant mail server for Windows NT/2000. The
product suffers from two security vulnerabilities; one allows username
harvesting, and the other allows modification of account information
without knowing the password for that account.

DETAILS

Vulnerable systems:
Ipswitch IMail Server version 7.04

POP3 Account disclosure:
If you enter a valid username, the reply is:

+OK welcome

On the other hand, if you enter a username that does not exist on the
server the reply is:

+OK send your password

This gives you a way to probe for existing accounts on the server.

Web Messaging Server Account Modification :
Log in on one account in the Web Messaging Server and Select Change User
Information. Save the HTML page on disk and change the value of the hidden
INPUT tag called "olduser" to the name of another account. You also have
to change the ACTION value of the FORM tag so it points to the server, and
it must contain the random string that you find in the URL to the ordinary
page. Next, load this changed page into the browser, fill in some new user
information and click on the Save button. This way you can change the user
information for any other user.

Vendor response:
Ipswitch have created a patch that among other things fixes these two
vulnerabilities. You can find it at:
 <http://www.ipswitch.com/support/IMail/patch-upgrades.html>
http://www.ipswitch.com/support/IMail/patch-upgrades.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:arne.vidstrom@ntsecurity.nu>
Arne Vidstrom.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages