SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   TM-POP3 Server Vendors:   Trademark Software (TMSOFT)
TM-POP3 Mail Server Discloses User Passwords to Local Users
SecurityTracker Alert ID:  1007728
SecurityTracker URL:  http://securitytracker.com/id/1007728
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2003
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 2.13
Description:   Ziv Kamir reported a vulnerability in the TM-POP3 e-mail server. A local user can view the user account passwords.

It is reported that the mail server stores usernames and passwords in clear text in the Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\TMSOFT\Pop3Server

The vendor was reportedly notified on September 15, 2003.
Impact:   A local user can view passwords for e-mail user accounts.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.tmsoft.com/tmpop3.asp (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Tue, 16 Sep 2003 14:08:18 -0700 (PDT)
Subject:  Vulnerability under TMpop3 Server


--------------070202050607060500030504
Content-Type: text/plain;
 name="TmPop3.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="TmPop3.txt"

15/09/03
				
-------------------------------------------------------

Application: TmPop3 Server  
Web Site:    http://www.tmsoft.com
Versions:    2.13 
Platform:    Windows 
Bug:         TmPop3 Server stores usernames and passwords in clear text 
             
            
Credits:
########

#################################
#                               #
# Ziv Kamir                     #
#                               #
# Email : vulncode@yahoo.com    #
#                               #
#                               #
#################################


---------------------

1) Introduction
2) Bug
3) Fix


===============
1) Introduction
===============

TmPop3 Server integrates with Microsoft SMTP server for Win2000/XP or NT 4.0. Allows for the download of electronic mail with multiple
 usernames via with any POP3 mail client. Allows for single root user that downloads all addressed mail. Contains security access
 controls to limit connection from only certain IP addresses. Implemented as a Windows service which can run on system boot.  The
 server has been tested on Windows NT, 2000, and XP and works with all popular e-mail clients including Microsoft Outlook.


======
2) Bug
======

TmPop3 Server stores usernames and passwords in the Registry under :
HKEY_LOCAL_MACHINE\SOFTWARE\TMSOFT\Pop3Server in clear text. 



===========
3) The Fix
===========

Date of Vendor Notification:

15-09-03

Status:






==============================================================================================

                 *** The Data is for educational purpose only. *** 

     The information in this bulletin is provided "AS IS" without warranty of any 
     kind. In no event shall we be liable for any damages whatsoever including 
     direct, indirect, incidental, consequential, loss of business profits or special damages. 

==============================================================================================



--------------070202050607060500030504--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC