SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Client)  >  Microsoft Outlook Express Vendors:  Microsoft
Microsoft Outlook Express Mail Troubleshooting Function May Disclose SMTP Password to Local Users
SecurityTracker Alert ID:  1010166
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2004
Impact:  Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 5, 6
Description:  A vulnerability was reported in Microsoft Outlook Express in the 'Mail' troubleshooting function. A local user may be able to obtain a target user's password.

Paul Kurczaba reported that when 'Mail' troubleshooting is enabled, a local user can obtain Base64-encoded SMTP username and password credentials from the log file.

The original advisory is available at:

http://www.kurczaba.com/securityadvisories/0405131.htm
Impact:  A local user may be able to obtain a target user's SMTP username and password.
Solution:  No solution was available at the time of this entry.

The author of the report indicates that, as a workaround, you can disable "Mail" troubleshooting in Outlook Express under: "Tools", "Options", "Maintenance".
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sun, 16 May 2004 23:35:12 -0400
Subject:  http://www.kurczaba.com/securityadvisories/0405131.htm

 

http://www.kurczaba.com/securityadvisories/0405131.htm

Microsoft Outlook Express Sensitive Data Disclosure Vulnerability

Vulnerability ID Number:

0405131

Overview:

A vulnerability has been found in Microsoft Outlook Express. In certain cases, it is 
possible to obtain SMTP username and password credentials.

Vendor:

Microsoft (http://www.microsoft.com)

Affected Systems/Configuration:

The versions affected by this vulnerability are Microsoft Outlook Express 5 & 6. For the 
vulnerability to work, "Mail" troubleshooting must be enabled.

Vulnerability/Exploit:

If troubleshooting for "Mail" is enabled, it is possible to retrieve the Base64 encoded 
SMTP username and password credentials from the log file.

Workaround:

Disable "Mail" troubleshooting in Outlook Express under: "Tools", "Options"
, "Maintenance".

Proof of Concept:

Coming soon...

Date Discovered:

May 13, 2004

Severity:

High

Credit:

Paul Kurczaba


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC