Wavecon Advisory: Open-Xchange <= 0.8.2 defaultuser with /bin/bash and default password

2006-05-30T00:00:00
ID SECURITYVULNS:DOC:12889
Type securityvulns
Reporter Securityvulns
Modified 2006-05-30T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Advisory Name Open-Xchange defaultuser with /bin/bash Vendor Open-Xchange Inc. Product Open-Xchange Version < 0.8.2 Author Cemil Degirmenci Risk high

o Description:

The OPEN-XCHANGE Collaboration and Integration Server Environment allows you to store appointments, contacts, tasks, email messages, bookmarks, documents, and many more elements, and share them with other users. It can be accessed via any modern Web browser and multiple fat clients like MS Outlook, Palm devices, KDE Kontact, Apple's iCAL, Konqueror, Mozilla Calendar, any many more, based on open standards and interfaces. Third party products can access this application over many different interfaces such as WebDAV (XML), LDAP, iCal, an API, and HTTP/S

o Vulnerability

There is a defaultuser with username "mailadmin" and password "secret" in Open-Xchange-LDAP.

dn: uid=mailadmin,ou=Users,ou=OxObjects,dc=example,dc=org objectClass: top objectClass: shadowAccount objectClass: posixAccount objectClass: person objectClass: inetOrgPerson objectClass: OXUserObject uidNumber: 1001 homeDirectory: /home/mailadmin/ loginShell: /bin/bash mailEnabled: OK gidNumber: 500 mailDomain: example.org ou: Administration uid: mailadmin sn: Admin preferredLanguage: EN mail: mailadmin@example.org o: Example Organization smtpServer: localhost imapServer: localhost alias: postmaster@example.org alias: root@example.org givenName: Admin cn: Admin Admin shadowMin: 0 shadowMax: 9999 shadowWarning: 7 shadowExpire: 0 userPassword: secret OXAppointmentDays: 5 OXGroupID: 500 OXTaskDays: 5 OXTimeZone: Europe/Berlin

This vulnerability only appears in the opensource version of Open-Xchange

o Solution

Be aware before you activate Unix-Authentification against Open-Xchange and change the password and loginshell of this user. Don't trust default-installations at all.

o Reference

http://www.open-xchange.org/bugzilla/show_bug.cgi?id=2815

o Notes

The vendor was informed 2006-05-18. There was also a news on the german newssite golem.de on 2006-05-19 (http://www.golem.de/0605/45407.html)


Wavecon IT-Solutions GbR Frankenstrasse 9 - 90762 Fuerth Email: support@wavecon.de - Web: http://www.wavecon.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEd1aLudsr6D13pqsRAoxcAJsGQz5ccJUeLBjLI0gX//t8l2hEYwCgkGb2 ah1cR+Jvf+bClo3zmPUo97k= =Cba0 -----END PGP SIGNATURE-----