lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41AC1421.4090102@secnetops.com>
From: kf_lists at secnetops.com (kf_lists)
Subject: Privilege escalation flaw in MDaemon 7.2.

When I tested things it was on MDaemon 6.8

Excuse me... they did respond and it was LESS than a year ago. =]. Here 
is how it went:
------------------------------------------------------
02/03/2004 11:10 AM

Hello!

I have sent this on to the developers.

However, the issue you describe would require a user to have a valid
login and physical access to the machine.  With both of those, they can
login to the server and access the MDaemon GUI, which can also be
further secured with a password.  I'm not dismissing your submission,
just providing feedback.

If you have any questions, please let us know.  Thanks!

-- Billy Pinson Customer Service Lead Alt-N Technologies, Ltd. Helping 
The World Communicate! http://www.altn.com 
-------------------------------------------------------------- MDaemon 
7.0 is coming! Faster multi-thread/multi-CPU server engine, market 
leading spam control, improved mobile and PDA support, enhanced 
security, and killer OWA style web mail. 
--------------------------------------------------------------

-------------------------------------------------
02/04/2004 06:33 PM

Thanks much... any time estimate on the fix? It sounds as if it may have 
a low priority since its being added to a list.

-KF

Alt-N Sales - Billy Pinson wrote:

> One thing the developers have suggested in the mean time is to change
> the service so that it can not interact with the desktop, this would
> prevent the GUI from showing up.
>
> If you need GUI access simply run the MDaemon ghost option.  This will
> launch the GUI under the users account, rather than the system account.
>
> They have placed this on their list of things to be fixed.
>
-------------------------------------------------
03/18/2004 10:11 PM
Alt-N Sales - Lina Daaboul wrote:

> Hello,
>
> We do not have an estimated time at this time. 
> If you have any questions, please let us know.  Thanks!
>
-KF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ