logo
banner
Download the FREE 5-IP version of the GFI LANguard network vulnerability scanner!
line
HOME
TOOLBOX
ON MY MIND RIGHT NOW
MISC
ABOUT
line
forest

Vulnerabilities in Ipswitch IMail Server 7.04

Details about the vulnerability in the POP3 Server:

If you enter a valid username the reply is:

+OK welcome

On the other hand, if you enter a username that doesn't exist on the server the reply is:

+OK send your password

This gives you a way to probe for existing accounts on the server.

Details about the vulnerability in the Web Messaging Server:

Log in on one account in the Web Messaging Server and Select Change User Information. Save the HTML page to disk and change the value of the hidden INPUT tag called "olduser" to the name of another account. You also have to change the ACTION value of the FORM tag so it points to the server, and it must also contain the random string that you find in the URL to the ordinary page. Then load this changed page into the browser, fill in some new user information and click on the Save button. This way you can change the user information for any other user.

Vendor Response:

Ipswitch have created a patch that among other things fix these two vulnerabilities.



© Arne Vidstrom. All rights reserved.