[16223] in bugtraq
Re: Tumbleweed Worldsecure (MMS) BLANK '
daemon@ATHENA.MIT.EDU (Neil Pike)
Mon Aug 14 14:29:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Message-Id: <200008131555_MC2-AF85-809@compuserve.com>
Date: Sun, 13 Aug 2000 15:54:50 -0400
Reply-To: Neil Pike <NeilPike@COMPUSERVE.COM>
From: Neil Pike <NeilPike@COMPUSERVE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
I reported the same thing to them a month ago. They have an article on
it, but they don't make it public unless you ask! (And the install
instructions say nothing about it). I amended MSDE to use integrated
security before I told them (which fixes the problem and should be their
default).
> I've recently discovered the following vulnerability:
> Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk
> Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
> Version: 4.3 - 4.5 (all builds)
> Description: Product uses Microsoft's MSDE (Database engine) which is a
stripped
> down version of the Microsoft SQL server 7.0. During the setup stage, I
was
> never asked for the 'sa' account password, which led me to think that
> application is either generating a random password every time it installs
or the
> password is the same for all installations. Well, after thurther
research I
> discovered that the password is left BLANK !!! This is a huge remotely
> exploitable vulnerability. After I remotely connected to the database
(with
> 'sa' account and NO PASSWORD) I was able to delete the databases (denial
of
> service, product becomes unusable) and modify the data (customer
certificates,
> configuration of the product, logs, etc.).
>
> Tumbeweed refuses to acknowledge this vulnerability, which caused major
outrage
> among my customers. Therefore, I have no choice but to go public about
this
> vulnerability.
>
> Please feel free to contact me with ANY questions regarding this issue,
although
> I would like to remain anonymous.
>
> Thank you very much.
>
> ------------------------------------------------------------
> Hey you! Claim your FREE anonymous email account:
> Click Here -> http://www.anonymous.to
>
Neil Pike MVP/MCSE
Protech Computing Ltd
