Alt-N MDaemon 'Lock Server' Bypass Vulnerabiltiy
BID:2115
Info
Alt-N MDaemon 'Lock Server' Bypass Vulnerabiltiy
| Bugtraq ID: | 2115 |
| Class: | Access Validation Error |
| CVE: |
CVE-2001-0104 |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 14 2000 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | Discovered and posted to Bugtraq on Dec 13, 2000 by Mohamed Riyad <[email protected]>. |
| Vulnerable: |
Altn MDaemon 3.5.1 |
| Not Vulnerable: | |
Discussion
Alt-N MDaemon 'Lock Server' Bypass Vulnerabiltiy
MDaemon is an email server which supports most common internet mail protocols offered by Alt-N Technologies. As a security feature, MDaemon allows administrators to "lock" the administrative console on the systems desktop. If it is locked, a password is required for anyone wishing to use the administrative console.
The implementation of this security feature is unfortunately flawed. By simply clicking cancel and hitting the 'enter' key when the password prompt is displayed, the user will gain entry to the MDaemon interface with administrative privileges.
From this point, an attacker could modify the configuration of MDaemon, possibly causing a denial of sevice provided by it or assisting some other compromise.
MDaemon is an email server which supports most common internet mail protocols offered by Alt-N Technologies. As a security feature, MDaemon allows administrators to "lock" the administrative console on the systems desktop. If it is locked, a password is required for anyone wishing to use the administrative console.
The implementation of this security feature is unfortunately flawed. By simply clicking cancel and hitting the 'enter' key when the password prompt is displayed, the user will gain entry to the MDaemon interface with administrative privileges.
From this point, an attacker could modify the configuration of MDaemon, possibly causing a denial of sevice provided by it or assisting some other compromise.
Solution / Fix
Alt-N MDaemon 'Lock Server' Bypass Vulnerabiltiy
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].