NotifyLink Enterprise Server Multiple Vulnerabilities
BID:12843
Info
NotifyLink Enterprise Server Multiple Vulnerabilities
| Bugtraq ID: | 12843 |
| Class: | Unknown |
| CVE: |
CVE-2005-0811 CVE-2005-0812 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 18 2005 12:00AM |
| Updated: | Jul 12 2009 10:56AM |
| Credit: | Discovery is credited to NOAA NCIRT Lab. |
| Vulnerable: |
NotifyLink NotifyLink Enterprise Server |
| Not Vulnerable: |
NotifyLink NotifyLink Enterprise Server 3.0 |
Discussion
NotifyLink Enterprise Server Multiple Vulnerabilities
NotifyLink Enterprise Server is reported prone to multiple vulnerabilities. These issues can allow an attacker to disclose sensitive information, gain unauthorized access to certain functions, carry out SQL injection attacks and potentially disclose encrypted email messages.
The following specific issues were identified:
It is reported that the server is affected by a weakness that can allow an administrative user to disclose the NotifyLink server and mail server passwords of other users.
Another vulnerability can allow a user to bypass security restrictions and gain access to restricted functions.
The application is also affected by multiple remote SQL injection vulnerabilities.
Another weakness in the application may allow an attacker to potentially disclose encrypted emails.
NotifyLink Enterprise Server versions prior to 3.0 are affected by these issues.
NotifyLink Enterprise Server is reported prone to multiple vulnerabilities. These issues can allow an attacker to disclose sensitive information, gain unauthorized access to certain functions, carry out SQL injection attacks and potentially disclose encrypted email messages.
The following specific issues were identified:
It is reported that the server is affected by a weakness that can allow an administrative user to disclose the NotifyLink server and mail server passwords of other users.
Another vulnerability can allow a user to bypass security restrictions and gain access to restricted functions.
The application is also affected by multiple remote SQL injection vulnerabilities.
Another weakness in the application may allow an attacker to potentially disclose encrypted emails.
NotifyLink Enterprise Server versions prior to 3.0 are affected by these issues.
Exploit / POC
NotifyLink Enterprise Server Multiple Vulnerabilities
An exploit is not required to leverage these issues.
An exploit is not required to leverage these issues.
Solution / Fix
NotifyLink Enterprise Server Multiple Vulnerabilities
Solution:
NotifyLink 3.0 and subsequent versions are not affected by the password disclosure, SQL injection, and access control bypass issues. Please contact the vendor to obtain a fixed version.
The vendor has recommended that users configure NotifyLink to use "Manual Key Generation" to address the insecure key obfuscation issue.
Solution:
NotifyLink 3.0 and subsequent versions are not affected by the password disclosure, SQL injection, and access control bypass issues. Please contact the vendor to obtain a fixed version.
The vendor has recommended that users configure NotifyLink to use "Manual Key Generation" to address the insecure key obfuscation issue.
References
NotifyLink Enterprise Server Multiple Vulnerabilities
References:
References:
- NotifyLink Home Page (NotifyLink)
- Vulnerability Note VU#131828 - web client fails to adequately restrict access (CERT)
- Vulnerability Note VU#264097 - NotifyLink contains multiple SQL injection (CERT)
- Vulnerability Note VU#581068 - server provides inadequate protection for crypto (CERT)
- Vulnerability Note VU#770532 - administrative interface displays user passwords (CERT)