|
The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Daylite Password Disclosure
------------------------------------------------------------------------
SUMMARY
" <http://www.marketcircle.com/> Daylite 3 is a new generation of
productivity management software. "
Bad design of password retrieval allows attackers to gain login passwords
in Daylite
DETAILS
Vulnerable Systems:
* Daylite version 1.7 and above
* Daylite version 3 and prior
By connecting into the Daylite server, need to provide valid user name,
but can write anything as password. After rejecting the login, Daylite
will offer to send the password by email. Selecting this option sends an
email containing the target user's password to the target user's
configured email address.
The vulnerability exists due to the use of the attacker's SMTP server
configuration. By using a network sniffer or by setting the client
system's SMTP settings to a server under the control of the attacker, the
password can be easily discovered. The server then allows the attacker to
connect Daylite using the disclosed password.
Workaround:
Assuring that all users are configured with no email address will prevent
the client from attempting to send the password by email.
However, it's not clear that this will prevent a client from retrieving
passwords without authentication.
Disclosure Timeline:
May 11, 2006 - Initial vendor contact (via
http://www.marketcircle.com/kb/contact.php)
May 18, 2006 - Repeat vendor contact (via support@marketcircle.com)
May 24, 2006 - Daylite 3.0.3 released -- vulnerability confirmed in new
version
May 25, 2006 - Contact to news@securiteam.com for assistance
June 7, 2006 - Added Credit and Workaround sections
June 7, 2006 - Repeat vendor contact (via security-alert@marketcircle.com,
secure@marketcircle.com, security@marketcircle.com,
support@marketcircle.com, info@marketcircle.com, and
secalert@marketcircle.com)
June 13, 2006 - Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:secureobscure@gmail.com>
Security Alert.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
|
