OSVDB ID: 12674

Title: Macallan Mail Solution Web Interface Malformed URL Authentication Bypass

Info

Disclosure

Dec 31, 2004

Discovery

Dec 04, 2004

Dates

Exploit

Dec 31, 2004

Solution

Unknown

Description

Macallan Mail Solution contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when using a specially crafted HTTP request containing URL-encoded slash characters ('%2f') or a non-existent directory. It is possible that the flaw may allow a remote attacker to bypass authentication settings resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Authentication Management
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 4.1.1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Macallan

Macallan Mail Solution

4.0.6.8 (Build 786)

References

Security Tracker: 1012746
Bugtraq ID: 12136
Related OSVDB ID: 12675
Secunia Advisory ID: 13710
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0002.html
Vendor URL: http://macallan.club.fr/MMS/index.html
Other Advisory URL: http://www.cirt.dk/Advisories/cirt-27-advisory.pdf

Credit

Dennis Rand - advisorycirt.dk - Danish Computer Incident Response Team

Direct URL: http://osvdb.org/36218