[23786] in bugtraq
MiraMail 1.04 can give POP account access and details
daemon@ATHENA.MIT.EDU (Chris Lathem)
Wed Jan 9 23:19:45 2002
Date: 9 Jan 2002 21:45:42 -0000
Message-ID: <20020109214542.8495.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Chris Lathem <clathem@skyhawke.com>
To: bugtraq@securityfocus.com
Released: January 9, 2002
Discovered: January 3, 2002 by Chris Lathem
chris@lathemonline.com
Program Overview: MiraMail is a fairly new program
to the market, and is intended to be used as a news
server. It is developed and maintained by Nevrona
Designs. For more information please see
www.nevrona.com/miramail. The problem in MiraMail
lies in the way it stores its variables: Everything is
stored in an ".ini" file in plain text. This includes POP
account usernames and passwords. This is not
limited to the POP accounts either. The user
accounts and groups are also stored in the same file,
all in plain text. Any user with access to the directory
in which MiraMail is installed can potentially "snoop"
the file for accounts and passwords, or could add
additional users or groups with ease.
Status: Vendor was contacted on January 3, and
acknowledged the problem. According to the vendor,
the next version to be released (1.05) will encrypt
the .ini file with md5 encryption, and will be released
in the next couple of weeks.
Cheers,
Chris Lathem
chris@lathemonline.com
http://www.lathemonline.com
--------------------------------------------------------------------
Please be nice to me, this is my first post.
=~]
