lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <op.sth6tcfgwosoee@www.xion.at>
Date: Wed, 06 Jul 2005 19:57:02 +0200
From: Steve <steve01@...llo.at>
To: bugtraq@...urityfocus.com
Subject: PHPXMAIL - Authentication Bypass


Author:  	Stefan Lochbihler
Date:    	6. Juli 2005
Affected 	Software: PHPXMAIL
Software 	Version: 0.7 -> 1.1
Software 	URL: http://phpxmail.sourceforge.net/
Attack:  	Authentication Bypass



Overview:
PhpXmail is a web based management software for the Xmail mail server
written in php.
It's main usage is as a GUI (Graphic User Interface) to the Xmail
administration extensions.
It allows the administrator of the mail server to perform configuration
management and
monitoring tasks for the mail server.
It allows the postmaster for each domain the Xmail server is configured to
perform management functions.
It allows the users who have a mail account to manage their account
settings.


Hi there !

Details:
When we try to log in with a username and a wrong password the server
response with a message like: -00024 invalid password.
When we take a look at the code below we see that the function check if
the first character is a "-".
For this case the function return false and exit.


code: class.xmail.php
if ($ret[0] == '-') { // not logged in
                           $this->xm_err_msg = $ret; // get error msg
                           return FALSE;
                           echo "$ret";
                           die;
                           exit;
                   }


The problem occurs when we try to log in with an overlong password
because we get no response message from the server and the function dont
exit.

Now when we login with a username like postmaster@...alhost and an
overlong password
we bypass the error handler and successfully log in.


code: from login.inc

      default:
      $mail_server->xm_ctrl_p = xmdecrypt($servers["$form_server"][3]);
      $logged_in = $mail_server->userauth($mail_server->xm_user_d,
$mail_server->xm_user_u, $mail_server->xm_user_p);
      break;							  /* here we try to log in */

      if ($logged_in != "The operation completed successfully.")
      $_SESSION['mail_server'] = $mail_server;
      $_SESSION['logged_in'] = $logged_in; 	       /* take a look at the
session vars */



Vendor Status: The Vendor is informed !

Solution: Maybe insert a maxsize tag to the passwords input field.



Discovered by Steve





-- 
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ