NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q3

[sec-adv] ShareMailPro Mailbox and Status Information Disclosure Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Thu Jul 03 2003 - 06:57:26 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
ShareMailPro Mailbox and Status Information Disclosure Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9167/

CRITICAL:
Less critical

IMPACT:
Exposure of system information, Exposure of sensitive information

WHERE:
From remote

SOFTWARE:
ShareMailPro 3.x

DESCRIPTION:
An information disclosure vulnerability has been reported in
ShareMailPro, which can be exploited by malicious users to gain
knowledge of the status of services and user mailboxes.

The vulnerability is caused due to an access control error. Any
authenticated user allowed to access his/her mailbox remotely via the
web interface may request the pages "status.htm" and "mailbox.htm".
This discloses information, which administrators only should have
access to.

The vulnerability has been reported in ShareMailPro version 3.6.1.

Secunia has confirmed that the latest version (3.7.1) restricts
access to "mailbox.htm" but not "status.htm".

NOTE: Successful exploitation requires that "WebConfig" has been
enabled, which is not the default setting.

SOLUTION:
Upgrade to version 3.7.1, which properly restricts access to
"mailbox.htm" (but not "status.htm").

Restrict access to "status.htm", or disable "WebConfig".

REPORTED BY / CREDITS:
Ziv Kamir

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]