DESCRIPTION: A weakness, a security issue, and multiple vulnerabilities have been reported in MDaemon, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct session hijacking, cross-site request forgery, and script insertion attacks, manipulate certain data, disclose certain sensitive information, and cause a DoS (Denial of Service).
1) The application generates WorldClient session identifiers in a predictable way, which can be exploited to predict session identifiers and conduct session hijacking attacks. 2) The application discloses the validity of email addresses via the Free-Busy schedule of WorldClient, which can be exploited to e.g. enumerate valid email addresses or user names. 3) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. modify authentication credentials or enable mail forwarding when a logged-in user visits a specially crafted web page. 4) Input related to email body is not properly sanitised in WorldClient before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. 5) The application does not properly restrict access to the user import functionality in WebAdmin, which can be exploited to e.g. import a specially crafted user data and subsequently execute arbitrary code. 6) The TLS implementation does not properly clear transport layer buffers when upgrading from plaintext to ciphertext after receiving the "STARTTLS" command. This can be exploited to insert arbitrary plaintext data (e.g. IMAP commands) during the plaintext phase, which will then be executed after upgrading to the TLS ciphertext phase. 7) An error when processing email headers can be exploited to cause a crash by sending a specially crafted email message. Successful exploitation of this vulnerability requires the "Strip X-Headers" setting to be enabled. The vulnerabilities are reported in versions prior to 13.0.4. SOLUTION: Update to version 13.0.4. PROVIDED AND/OR DISCOVERED BY: 1 - 5) Demetris Papapetrou, QSecure. 6, 7) Reported by the vendor. ORIGINAL ADVISORY: MDaemon: http://files.altn.com/MDaemon/release/relnotes_en.html Demetris Papapetrou: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_and_WebAdmin_CSRF.html http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Predictable_Session_ID.html http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_Email_Body_HTML_JS_Injection.html http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Username_Enumeration.html http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WebAdmin_Remote_Code_Execution.html http://www.qsecure.com.cy/whitepapers/Pwning_MDaemon.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ Powered by Telkomsel BlackBerry®
