SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Server)  >  Intellipeer Email Server Vendors:  Nettica Corporation
Intellipeer Email Server Discloses Valid User Account Names to Remote Users
SecurityTracker Alert ID:  1011425
SecurityTracker URL:  http://securitytracker.com/id?1011425
CVE Reference:  CAN-2004-2150   (Links to External Site)
Updated:  Jul 2 2005
Original Entry Date:  Sep 27 2004
Impact:  Disclosure of user information
Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Global Security Solution IT (GSSIT)
Version(s): 1.01
Description:  Ziv Kamir of Global Security Solution IT reported a vulnerability in Intellipeer Email Server. A remote user can determine valid user account names on the mail server.

It is reported that the POP3 mail server returns different error messages in response to login attempts depending on whether the supplied username is valid or invalid. If the remote user provides an invalid username, the server will respond with the following type of message:

-ERR User2 unknown account

If the remote user provides a valid username the server will respond with the following type of message:

+OK User1

The vendor was notified on September 27, 2004.
Impact:  A remote user can determine valid user account names on the target mail server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.nettica.com/Downloads/Default.aspx (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Reported By:  GSS IT <gss_it@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 27 Sep 2004 06:39:37 -0700 (PDT)
From:  GSS IT <gss_it@yahoo.com>
Subject:  INTELLIPEER EMAIL SERVER

 
 
--0-964028024-1096292377=:596
Content-Type: multipart/alternative; boundary="0-2137941777-1096292377=:596"
 
--0-2137941777-1096292377=:596
Content-Type: text/plain; charset=us-ascii
 
  
		
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
--0-2137941777-1096292377=:596
Content-Type: text/html; charset=us-ascii
 
 
 <p>
		<hr size=1>Do you Yahoo!?<br><a
href="http://vote.yahoo.com">vote.yahoo.com</a> - Register online to vote today!
--0-2137941777-1096292377=:596--
--0-964028024-1096292377=:596
Content-Type: text/plain; name="Intellipeer.txt"
Content-Description: Intellipeer.txt
Content-Disposition: inline; filename="Intellipeer.txt"
 
27/09/04
 
 
====================================
 GSSIT - Global Security Solution IT
====================================		
 
-------------------------------------------------------
 
Application: INTELLIPEER EMAIL SERVER 
Web Site:    www.nettica.com
Versions:    1.01
Platform:    Windows 
 
             
                           
Credits:
########
 
#########################################
#         ==  Ziv Kamir ==              #
#                                       #
# GSSIT - Global Security Solution IT   #                   
#                                       #
#     Email : gss_it@yahoo.com          #
#                                       #
#                                       #
#########################################
 
---------------------
 
1) Introduction
2) Bug
3) The Code
4) Fix
 
 
================
1) Introduction
================
 
Advanced anti-spam technology stops virtually all spam 
Intellipeer Safe Envelope technology filters HTML messages so you can safely read all 
messages from your server in rich text. 
Supports all major email clients 
Multiple virtual hosts 
Mailing Lists 
Standards compliant SMTP/POP3 Server 
Seamless integration with Windows accounts 
Easily configure your UPnP compliant Internet Gateway 
Easy to use administration tool 
 
 
=======
2) Bug
=======
 
A remote user can determine valid user account names on the POP server.
 
The POP server returns different error messages in response to valid login attempts versus invalid lo
gin attempts. 
 
 
 
===========
3) The Code
===========
 
When an invalid user name is specified, the POP server responds with:
 
-ERR User2 unknown account
 
When a valid user name is specified, the POP server responds with :
 
+OK User1
 
======
4) Fix
======
 
Date of Vendor Notification:
----------------------------
 
27/09/04
 
Response :
=========
 
27/09/04
 
We will take your feedback into consideration when implementing our next release.
 
 
 
 
==============================================================================================
 
                 *** The Data is for educational purpose only. *** 
 
          The information in this bulletin is provided "AS IS" without 
          warranty of any kind. In no event shall we be liable for any 
          damages whatsoever including direct, indirect, incidental, 
          consequential, loss of business profits or special damages. 
 
==============================================================================================
--0-964028024-1096292377=:596--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC