SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Alt-N WebAdmin Multiple Vulnerabilities


Arrow  SecurityAlert : 1455
Arrow  CVE : CVE-2006-4371
Arrow  CVE : CVE-2006-4370
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : TTG
Arrow  Published : 28.08.2006

Arrow  Affected Software : Alt-N WebAdmin v3.2.3/3.2.4



Arrow  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities

RELEASE DATE:
August 21st, 2006

VENDOR:
Alt-N Technologies ( http://www.altn.com )

VULNERABLE:
Tested on Alt-N WebAdmin v3.2.3/3.2.4 running
with MDaemon v9.0.5, earlier versions are
suspected vulnerable as well

SEVERITY:
Authenticated users have access to higher level
accounts and files on the server

OS:
Microsoft Windows XP/2000/2003

SUMMARY

WebAdmin is a remote administration utility which allows administrators to
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
has become a standard module for the company's MDaemon mail server,
altough
it remains available independently as well.

The WebAdmin product page touts it's configurable access rights feature.
However, tested versions have been found vulnerable to a privilege
elevation
vulnerability which could lead to compromise of the mail server and which,
in combination with insufficient input sanitation in some of it's modules,
could allow malicious users access to sensitive files on the server.

This includes the system's weakly encoded password file.

DETAILS

Due to input to the administrative interface's logfile_view.wdm and
configfile_view.wdm files not being properly sanitized, authenticated
global
administrators are allowed access to the underlying filesystem like so:

http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat
http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userli
st.dat

Note that this is not a service offered by the administrative interface
itself.
Also of note is that the second example retrieves the server's password
file
which, as noted earlier by Obscure(1), is easily decodable.

Mitigating this problem is the fact that the user has to be a global
administrator to be allowed access to logfile_view.vdm and
configfile_view.vdm.

It has also been found however that while the web interface appears to
distinguish between user levels (namely global administrator and domain
administrator) and indeed touts this ability on it's product page, all
authenticated administrators within the same domain regardless of level
are
allowed to modify all user accounts and passwords through userlist.wdm,
including the details and passwords of global administrator accounts.

IMPACT

The impact of these vulnerabilities in a small environment using only
trusted
administrators is low if the default HTTP solution is not used. In larger
environments were one to trust on WebAdmin's user restrictions the impact
of
mentioned problems is larger, as they effectively allow third parties
unauthorized access to the full mail server configuration and the file
system below.

WORKAROUNDS

It is suggested that administrators do not access the administrative
interface over it's own server and as such the inherently insecure HTTP
protocol, but install it on another, SSL capable server.

Also, it would be wise to not allow regular users access to their domain
configurations through the administrative interface, no matter the server.

FIX

Vendor was notified and response was swift. First contact was established
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made
available
on August 18.

REFERENCES

(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye
on Security
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html

(2) WebAdmin Server v3.25 Release Notes
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE6gCIXSyYXTPz6J0RAjMWAJ9GQQCuzP0zngp3lNQ7hg3ODfoo+ACfYiqV
81UXnzFz5McMyXdC6Cr6Uc0=
=pqQg
-----END PGP SIGNATURE-----



Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...
Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication
PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file
Copyright © SecurityReason.com. All Rights Reserved.