Re: Simple Mail Server - SMTP Authentication Bypass Vulnerability
- From: Peter Conrad <conrad@xxxxxxxxx>
- Date: Tue, 10 Jan 2012 13:21:22 +0100
Hi,
demonalex@xxxxxxx schrieb am 08.01.2012 um 15:10:
Title: Simple Mail Server - SMTP Authentication Bypass Vulnerabilitywithout password by using usual tcp client(such as telnet).
Bug Description :
Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail
And it did not have SMTP authentication contoller.configuration for this test case):
POC(Remarks: domain alex.com and user alex@xxxxxxxx must be exists in
telnet 127.0.0.1 25220 TEST-121F797342 SMTP ready.
EHLO mail_of_alert
500 Not supported. Use HELO
MAIL FROM: <alex@xxxxxxxx>
250 OK
RCPT TO: <alex@xxxxxxxx>
250 OK
Data
354 Start mail input; end with <CRLF>.<CRLF>
From: "alex@xxxxxxxx" <alex@xxxxxxxx>
To: "alex@xxxxxxxx" <alex@xxxxxxxx>
Subject: authenticate is not required!
erm... where's the bug? If the mailer is configured to receive
mail for alex@xxxxxxxx, why should it require SMTP authentication
for incoming mails to that address?
Anyway, SMTP authentication is not a requirement for an MTA, so
the lack of such can hardly be called a bug.
Bye,
Peter
--
Peter Conrad
Tivano Software GmbH
Bahnhofstr. 18
63263 Neu-Isenburg
Tel: 06102 / 8099070
Fax: 06102 / 8099071
HRB 11680, AG Offenbach/Main
Geschäftsführer: Martin Apel
- References:
- Simple Mail Server - SMTP Authentication Bypass Vulnerability
- From: demonalex
- Simple Mail Server - SMTP Authentication Bypass Vulnerability
- Prev by Date: p0f3 release candidate
- Next by Date: Is Your Online Bank Vulnerable To Currency Rounding Attacks?
- Previous by thread: Simple Mail Server - SMTP Authentication Bypass Vulnerability
- Next by thread: p0f3 release candidate
- Index(es):
Relevant Pages
|
