Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[SCSA-018] Disclosure of authentication information in Sambar Server

From: "Gregory LEBRAS" <gregory.lebras () security-corporation com>
Date: Thu, 24 Apr 2003 00:42:40 +0200
======================================================================
Security Corporation Security Advisory [SCSA-018]

Disclosure of authentication information in Sambar Server
======================================================================

PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 6.0 Beta 1
                     5.3
                     5.2 and prior ?
RISK: Low/Medium
IMPACT: Disclosure of authentication information
RELEASE DATE: 2003-04-24

Security Corporation's Free weekly Newsletter :
http://www.security-corporation.com/newsletter.html

======================================================================
TABLE OF CONTENTS
======================================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
======================================================================

"Sambar Server is the new standard in high performance multi-functional
servers with features rivaling other commercial products selling
separately for several hundreds of dollars. It's Winsock2 compliant
Win32 integration functions on Windows 95, Windows 98, Windows NT,
Win2000, and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net)


2. DETAILS
======================================================================

- Disclosure of authentication information :

A security vulnerability in Sambar Server Pro Server allow an
attacker to view the username and password of an user who login
on the webmail.

Indeed, when logging in on the WebMail part of Sambar Server Pro Server,
the username and password is sent in clear text.

A remote attacker with access to the target user's or target server's
traffic stream can view the username and the password.


3. EXPLOIT
======================================================================

- Disclosure of authentication information :

This vulnerability can be easily exploited by an attacker who is on
the same network. He can put a network sniffer on the network and sniff
the username and password sent in clear by Sambar Server Pro Server.

Here a capture of the HTTP Headers :

-------CUT-------

POST /session/login HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: http://[target]/sysuser/webmail/
Accept-Language: fr
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 192.168.0.23
Content-Length: 200
Pragma: no-cache
Connection: keep-alive
Browser reload detected...
Posting 200 bytes...
RCpage=%2Fsysuser%2Fwebmail%2Fwebmail.stm
onfailure=%2Fsysuser%2Fwebmail%2Frelogin.htm
start=1
RCSdesktop=false
RCSsort=desc
RCSfolder=inbox
RCShome=%2Fsysuser%2Fwebmail
RCuser=administrator
RCpwd=thepassword

-------CUT-------


4. SOLUTIONS
======================================================================

No solution for the moment.


5. WORKAROUND
======================================================================

We strongly urge you to starting the HTTPS Server.
The HTTPS server does not start by default, it must be enabled via
the config.ini file entry Act As HTTPS Server = true.


6. DISCLOSURE TIMELINE
======================================================================

19/04/2003 Vulnerability discovered
19/04/2003 Vendor notified
20/04/2003 Security Corporation clients notified
23/04/2003 Vendor response
24/04/2003 Public disclosure


7. CREDITS
======================================================================

Discovered by Gregory Le Bras <gregory.lebras () security-corporation com>


8. DISLAIMER
======================================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
======================================================================

- Original Version:
  http://www.security-corporation.com/advisories-018.html

- Version Française:
  http://www.security-corporation.com/index.php?id=advisories&a=018-FR


10. FEEDBACK
======================================================================

Please send suggestions, updates, and comments to:

Security Corporation
http://www.security-corporation.com
info () security-corporation com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: