Hi,
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02496
---
Known Vulnerabilities in MDaemon
KBA-02496
Purpose & Scope
This article refers to some vulnerabilities that are in MDaemon.
Procedure
There are several vulnerabilities that are fixed in MDaemon 13.0.4:
Alt-N MDaemon Body HTML Injection Vulnerability:
Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability:
Alt-N MDaemon's Disclosure of Authentication Credentials:
Alt-N MDaemon's WebAdmin Remote Code Execution Vulnerability:
If you are unable to upgrade to MDaemon 13.0.4 you can help to secure
your server by ensuring that WorldClient and WebAdmin are configured to
require IP persistence. In order to enable these options:
Open the MDaemon user interface.
Select the Setup menu.
Select Web and IM Services.
In the WorldClient section select Web Server.
Check the box for require IP persistence throughout WorldClient session.
Click the Restart WorldClient button.
http://www.altn.com/Images/KB/02440-02539/KBA-02496/KBA_02496_Step6.png
In the WebAdmin section select Web Server.
Check the box for Require IP persistence throughout WebAdmin session.
Click the Restart WebAdmin button.
Click the OK button.
http://www.altn.com/Images/KB/02440-02539/KBA-02496/KBA_02496_Step10.png
WorldClient can be further secured by ensuring it is configured to use
cookies. In order to enable these options:
Open the MDaemon user interface.
Select the Setup menu.
Select Web and IM Services.
In the WorldClient section select Web Server.
Check the box for require IP persistence throughout WorldClient session.
Click the Restart WorldClient button.
Click the OK button.
http://www.altn.com/Images/KB/02440-02539/KBA-02496/KBA_02496_Step7a.png
Open Windows Explorer and navigate to the MDaemon\WorldClient\
directory.
Open the WorldClient.ini file in a text editor such as Notepad.
In the [Sessions] section, set the CheckCookie option equal to Yes.
If the CheckCookie option is already set to Yes, no further action is
needed. If you changed the value of the CheckCookie option you will need
to complete the following steps to ensure the change is implemented.
Save the file.
In the MDaemon user interface select the Setup menu.
Select Web and IM Services.
Click the Restart WorldClient button.
http://www.altn.com/Images/KB/02440-02539/KBA-02496/KBA_02496_Step4b.png
---
--
syafril
-------
Syafril Hermansyah
Running MDaemon 13.0.4, SP 4.1.5
A sad spectacle. If they be inhabited, what a scope for misery and folly.
If they be not inhabited, what a waste of space.
-- Thomas Carlyle, looking at the stars
--
--[MDaemon-L]------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.
Netiket: <http://www.netmeister.org/news/learn2quote>
Arsip: <http://mdaemon-l.dutaint.com>
Dokumentasi : <http://mdaemon.dutaint.co.id>
Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com
Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com
Versi terakhir MD 13.0.4, SP 4.1.5, BES 2.0.1, OC 2.3.0, SG 2.0.8, PP 2.0.0
