[NEWS] Daylite Password Disclosure

Type securityvulns
Reporter Securityvulns
Modified 2006-06-19T00:00:00


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html

Daylite Password Disclosure


" <http://www.marketcircle.com/> Daylite 3 is a new generation of productivity management software. "

Bad design of password retrieval allows attackers to gain login passwords in Daylite


Vulnerable Systems: * Daylite version 1.7 and above * Daylite version 3 and prior

By connecting into the Daylite server, need to provide valid user name, but can write anything as password. After rejecting the login, Daylite will offer to send the password by email. Selecting this option sends an email containing the target user's password to the target user's configured email address.

The vulnerability exists due to the use of the attacker's SMTP server configuration. By using a network sniffer or by setting the client system's SMTP settings to a server under the control of the attacker, the password can be easily discovered. The server then allows the attacker to connect Daylite using the disclosed password.

Workaround: Assuring that all users are configured with no email address will prevent the client from attempting to send the password by email.

However, it's not clear that this will prevent a client from retrieving passwords without authentication.

Disclosure Timeline: May 11, 2006 - Initial vendor contact (via http://www.marketcircle.com/kb/contact.php) May 18, 2006 - Repeat vendor contact (via support@marketcircle.com) May 24, 2006 - Daylite 3.0.3 released -- vulnerability confirmed in new version May 25, 2006 - Contact to news@securiteam.com for assistance June 7, 2006 - Added Credit and Workaround sections June 7, 2006 - Repeat vendor contact (via security-alert@marketcircle.com, secure@marketcircle.com, security@marketcircle.com, support@marketcircle.com, info@marketcircle.com, and secalert@marketcircle.com) June 13, 2006 - Public Disclosure


The information has been provided by <mailto:secureobscure@gmail.com> Security Alert.


This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.