Hi,
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02494 --- MDaemon's WorldClient Username Enumeration Vulnerability KBA-02494 Purpose & Scope The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability. Procedure MDaemon's WorldClient Username Enumeration Vulnerability The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability. If the Free/Busy server is in use and Administrators would like to protect themselves against this attack a password can be configured using the following instructions: Open the MDaemon user interface. Select the Setup menu. Select Web and IM Services. In the WorldClient section select Calendar. In the Free/busy password field enter the desired password. Click the OK button. Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL. Comments Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL. Note: If there was an existing Free/Busy password configured prior to updating to 13.0.4, resetting the Free/Busy password is required. --- -- syafril ------- Syafril Hermansyah Running MDaemon 13.0.4, SP 4.1.5 It will be advantageous to cross the great stream ... the Dragon is on the wing in the Sky ... the Great Man rouses himself to his Work. -- --[MDaemon-L]------------------------------------------------ Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: <http://www.netmeister.org/news/learn2quote> Arsip: <http://mdaemon-l.dutaint.com> Dokumentasi : <http://mdaemon.dutaint.co.id> Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 13.0.4, SP 4.1.5, BES 2.0.1, OC 2.3.0, SG 2.0.8, PP 2.0.0

