SecurityTracker.com Archives - Sambar Server WebMail Discloses User Passwords Transmitted Via the Network

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Issue multiple certificates with Thawte SPKI

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Sambar Server

Vendors: Sambar Technologies

Sambar Server WebMail Discloses User Passwords Transmitted Via the Network

SecurityTracker Alert ID: 1006637

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Apr 23 2003

Impact: Disclosure of authentication information

Exploit Included: Yes

Advisory: Security-Corp

Version(s): 6.0 Beta 1, 5.3, 5.2

Description: Security Corporation reported an authentication information disclosure vulnerability in Sambar Server. A remote user monitoring the network can determine user passwords.

It is reported that the web server discloses the username and password of Sambar WebMail users. When a user logs in via WebMail, the username and password is sent by default in clear text.

The vendor has reportedly been notified.

Impact: A remote user monitoring (sniffing) the network can determine the usernames and passwords of WebMail users.

Solution: No solution was available at the time of this entry.

The author of the report recommends that you enable the secure HTTPS server (which is not started by default). To enable the HTTPS server, you must use the following config.ini file entry:

Act As HTTPS Server = true

Vendor URL: www.sambar.com/ (Links to External Site)

Cause: Access control error

Underlying OS: Windows (Any)

Reported By: Gregory LEBRAS <gregory.lebras@security-corporation.com>

Message History: None.

Source Message Contents

Date: Thu, 24 Apr 2003 00:43:36 +0200
From: Gregory LEBRAS <gregory.lebras@security-corporation.com>
Subject: [SCSA-018] Disclosure of authentication information in Sambar Server

 


======================================================================
Security Corporation Security Advisory [SCSA-018]

Disclosure of authentication information in Sambar Server
======================================================================

PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 6.0 Beta 1
                      5.3
                      5.2 and prior ?
RISK: Low/Medium
IMPACT: Disclosure of authentication information
RELEASE DATE: 2003-04-24

Security Corporation's Free weekly Newsletter :
http://www.security-corporation.com/newsletter.html

======================================================================
TABLE OF CONTENTS
======================================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
======================================================================

"Sambar Server is the new standard in high performance multi-functional
servers with features rivaling other commercial products selling
separately for several hundreds of dollars. It's Winsock2 compliant
Win32 integration functions on Windows 95, Windows 98, Windows NT,
Win2000, and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net)


2. DETAILS
======================================================================

- Disclosure of authentication information :

A security vulnerability in Sambar Server Pro Server allow an
attacker to view the username and password of an user who login
on the webmail.

Indeed, when logging in on the WebMail part of Sambar Server Pro Server,
the username and password is sent in clear text.

A remote attacker with access to the target user's or target server's
traffic stream can view the username and the password.


3. EXPLOIT
======================================================================

- Disclosure of authentication information :

This vulnerability can be easily exploited by an attacker who is on
the same network. He can put a network sniffer on the network and sniff
the username and password sent in clear by Sambar Server Pro Server.

Here a capture of the HTTP Headers :

-------CUT-------

POST /session/login HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: http://[target]/sysuser/webmail/
Accept-Language: fr
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 192.168.0.23
Content-Length: 200
Pragma: no-cache
Connection: keep-alive
Browser reload detected...
Posting 200 bytes...
RCpage=%2Fsysuser%2Fwebmail%2Fwebmail.stm
onfailure=%2Fsysuser%2Fwebmail%2Frelogin.htm
start=1
RCSdesktop=false
RCSsort=desc
RCSfolder=inbox
RCShome=%2Fsysuser%2Fwebmail
RCuser=administrator
RCpwd=thepassword

-------CUT-------


4. SOLUTIONS
======================================================================

No solution for the moment.


5. WORKAROUND
======================================================================

We strongly urge you to starting the HTTPS Server.
The HTTPS server does not start by default, it must be enabled via
the config.ini file entry Act As HTTPS Server = true.


6. DISCLOSURE TIMELINE
======================================================================

19/04/2003 Vulnerability discovered
19/04/2003 Vendor notified
20/04/2003 Security Corporation clients notified
23/04/2003 Vendor response
24/04/2003 Public disclosure


7. CREDITS
======================================================================

Discovered by Gregory Le Bras <gregory.lebras@security-corporation.com>


8. DISLAIMER
======================================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
======================================================================

- Original Version:
   http://www.security-corporation.com/advisories-018.html

- Version Française:
   http://www.security-corporation.com/index.php?id=advisories&a=018-FR


10. FEEDBACK
======================================================================

Please send suggestions, updates, and comments to:

Security Corporation
http://www.security-corporation.com
info@security-corporation.com

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC