[NT] MiraMail Gives POP Account Access and Details

From: support@securiteam.com
Date: 01/16/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 16 Jan 2002 20:09:43 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MiraMail Gives POP Account Access and Details
------------------------------------------------------------------------

SUMMARY

 <http://www.nevrona.com/miramail> MiraMail is a news server program
developed and maintained by Nevrona Designs. The problem in MiraMail lies
in the way it stores its variables: Everything is stored in an ".ini" file
in plain text. This includes POP account usernames and passwords. This is
not limited to the POP accounts either. The user accounts and groups are
also stored in the same file, all in plain text. Any user with access to
the directory in which MiraMail is installed can potentially "snoop" the
file for accounts and passwords, or could add additional users or groups
with ease.

DETAILS

Vulnerable systems:
MiraMail version 1.04

Immune systems:
MiraMail version 1.05

Vendor status:
Vendor was contacted on January 3, and acknowledged the problem. According
to the vendor, the next version to be released (1.05) will encrypt the
ini file with md5 encryption, and will be released in the next couple of
weeks.

ADDITIONAL INFORMATION

The information has been provided by <mailto:clathem@skyhawke.com> Chris
Lathem.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.