Cyclonic Authentication Bypass

2003-12-10T19:00:26
ID OSVDB:3153
Type osvdb
Reporter OSVDB
Modified 2003-12-10T19:00:26

Description

Vulnerability Description

Cyclonic Web-Mail contains a flaw that may allow a malicious user to subvert the login process. The issue exists because Web-Mail accepts POP authentication information from external servers, specified by the user. This flaw allows an invalid user authenticated access to the Web-Mail system, resulting in a loss of integrity.

Technical Description

Authenticated access via this flaw provides an anonymous vector for a malicious user to exploit local vulnerabilities in Web-Mail.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:

Utilize IP restrictions to only allow users from trusted hosts to access the application.

Short Description

Cyclonic Web-Mail contains a flaw that may allow a malicious user to subvert the login process. The issue exists because Web-Mail accepts POP authentication information from external servers, specified by the user. This flaw allows an invalid user authenticated access to the Web-Mail system, resulting in a loss of integrity.

References:

Vendor URL: http://www.stallion.au.com Secunia Advisory ID:10421 Related OSVDB ID: 3020 Related OSVDB ID: 3151 Related OSVDB ID: 3152 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-12/0173.html Bugtraq ID: 9195