NTMail Proxy Exploit

Type securityvulns
Reporter Securityvulns
Modified 2000-05-12T00:00:00


NTmail version 5.x (possibly other versions, I haven't checked) has two web functions. One is a web configuration server which lets you configure the mail server via a browser. The other is it can also work as a proxy server. These two functions are set by default to use two different ports (8000 for configuration and 8080 for proxy). The proxy function has an off switch so you can turn off proxy and still be able to configure your mail server via the browser and also to allow your users to read email via the browser.

So lets say you use NTmail and you also have a separate proxy server with restrictions for certain sites, java, whatever, you have it restricted to protect your network and keep your users from visiting hacker and nudie sites.

If the web configuration for NTmail is on port 8000 (default) and proxy in NTmail is on port 8080 (default) and you have proxy disabled then the users are forced to go thru your restricted proxy server. Port 8080 does not work.

However if the user changes their proxy setup to point to NTmail on port 8000, it proxies them right out to the internet with no restrictions at all.

This can be a bit of a security issue. Normally I would not post something like this until the vendor had a patch released. However in this case the discovery of this was made by Simon Talbot on the NTmail support list and news of this will probably get out pretty quickly among the users so I figured it is only fair to let the admins know about the hole as well since it can be a fairly serious security issue. Also if you have an NTmail server out on the open internet it can be used by the world as a proxy server.

The workaround is to disable the www configuration service until a patch is released.