[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <op.sth6tcfgwosoee@www.xion.at>
Date: Wed, 06 Jul 2005 19:57:02 +0200
From: Steve <steve01@...llo.at>
To: bugtraq@...urityfocus.com
Subject: PHPXMAIL - Authentication Bypass
Author: Stefan Lochbihler
Date: 6. Juli 2005
Affected Software: PHPXMAIL
Software Version: 0.7 -> 1.1
Software URL: http://phpxmail.sourceforge.net/
Attack: Authentication Bypass
Overview:
PhpXmail is a web based management software for the Xmail mail server
written in php.
It's main usage is as a GUI (Graphic User Interface) to the Xmail
administration extensions.
It allows the administrator of the mail server to perform configuration
management and
monitoring tasks for the mail server.
It allows the postmaster for each domain the Xmail server is configured to
perform management functions.
It allows the users who have a mail account to manage their account
settings.
Hi there !
Details:
When we try to log in with a username and a wrong password the server
response with a message like: -00024 invalid password.
When we take a look at the code below we see that the function check if
the first character is a "-".
For this case the function return false and exit.
code: class.xmail.php
if ($ret[0] == '-') { // not logged in
$this->xm_err_msg = $ret; // get error msg
return FALSE;
echo "$ret";
die;
exit;
}
The problem occurs when we try to log in with an overlong password
because we get no response message from the server and the function dont
exit.
Now when we login with a username like postmaster@...alhost and an
overlong password
we bypass the error handler and successfully log in.
code: from login.inc
default:
$mail_server->xm_ctrl_p = xmdecrypt($servers["$form_server"][3]);
$logged_in = $mail_server->userauth($mail_server->xm_user_d,
$mail_server->xm_user_u, $mail_server->xm_user_p);
break; /* here we try to log in */
if ($logged_in != "The operation completed successfully.")
$_SESSION['mail_server'] = $mail_server;
$_SESSION['logged_in'] = $logged_in; /* take a look at the
session vars */
Vendor Status: The Vendor is informed !
Solution: Maybe insert a maxsize tag to the passwords input field.
Discovered by Steve
--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/
Powered by blists - more mailing lists