||Home : Advisories : MDaemon 3.5.1 Vulnerability|
||MDaemon 3.5.1 Vulnerability
||15th December 2000
Ok, This is my second post in the years and I have been reading all your
postings so far. You all are doing a great job indeed.
I would like to point out a security problem in MDaemon mail server (even in
ver 3.5.1 the latest).
Windows NT 4.0 server (SP 6.0a)
MDaemon Pro ver 3.5.1 (The latest update I downloaded last night)
Note: On Windows NT machines, you must be able to login to use this exploit.
On Windows 98, anybody has access to the desktop could do it.
Problem: When the MD server is locked, any one can simply bypass the "locked
server" security and can do anything they want.
Description: If a mail server administrator wanted to deny access to MD
server , he right clicks on the system tray Icon and select "lock server"
and then MDaemon will ask for a password and again ask to confirm it.
Whenever you wanted to open MD window, you double click on the icon at
system tray, MD will ask for the password. If you enter the correct
password, you will be allowed inside.
The security could be bypassed here. Just double click on the system tray
icon of MDaemon to start. Now, MDaemon will prompt for the password. Without
entering any password the, just click on Cancel button. AND IMMEDIATELY
PRESS THE ENTER KEY and YOU WILL BE TAKEN INTO MDAEMON. You can do whatever
you wanted to do with MDaemon and then safe minimize it to close the window.
This is exploit can be used to add/delete/modify any email accounts and
mailing list. also new domains could be added. Any mails to any accounts
could be forwarded and a lot more.
I found this problem even in the very early versions of MDaemon. Two weeks
back I sent an email to ALT.COM asking for their email address to report the
security problem in MDaemon and they never replied. And I used their website
to send a message and I received NO reply at all.
So, I decided to post this message to BUGTRAQ and also CC to MDaemon Beta
Thank you all
>From SRI LANKA
"Intelligence is when you discover something no one else has,"