|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Privilege escalation flaw in MDaemon 7.2.
From: kf_lists (kf_lists
secnetops.com)
Date: Tue Nov 30 2004 - 00:33:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
When I tested things it was on MDaemon 6.8
Excuse me... they did respond and it was LESS than a year ago. =]. Here
is how it went:
------------------------------------------------------
02/03/2004 11:10 AM
Hello!
I have sent this on to the developers.
However, the issue you describe would require a user to have a valid
login and physical access to the machine. With both of those, they can
login to the server and access the MDaemon GUI, which can also be
further secured with a password. I'm not dismissing your submission,
just providing feedback.
If you have any questions, please let us know. Thanks!
-- Billy Pinson Customer Service Lead Alt-N Technologies, Ltd. Helping
The World Communicate! http://www.altn.com
-------------------------------------------------------------- MDaemon
7.0 is coming! Faster multi-thread/multi-CPU server engine, market
leading spam control, improved mobile and PDA support, enhanced
security, and killer OWA style web mail.
--------------------------------------------------------------
-------------------------------------------------
02/04/2004 06:33 PM
Thanks much... any time estimate on the fix? It sounds as if it may have
a low priority since its being added to a list.
-KF
Alt-N Sales - Billy Pinson wrote:
> One thing the developers have suggested in the mean time is to change
> the service so that it can not interact with the desktop, this would
> prevent the GUI from showing up.
>
> If you need GUI access simply run the MDaemon ghost option. This will
> launch the GUI under the users account, rather than the system account.
>
> They have placed this on their list of things to be fixed.
>
-------------------------------------------------
03/18/2004 10:11 PM
Alt-N Sales - Lina Daaboul wrote:
> Hello,
>
> We do not have an estimated time at this time.
> If you have any questions, please let us know. Thanks!
>
-KF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]