Home page logo

bugtraq logo Bugtraq mailing list archives

PHPXMAIL - Authentication Bypass
From: Steve <steve01 () chello at>
Date: Wed, 06 Jul 2005 19:57:02 +0200

Author:         Stefan Lochbihler
Date:           6. Juli 2005
Affected        Software: PHPXMAIL
Software        Version: 0.7 -> 1.1
Software        URL: http://phpxmail.sourceforge.net/
Attack:         Authentication Bypass

PhpXmail is a web based management software for the Xmail mail server
written in php.
It's main usage is as a GUI (Graphic User Interface) to the Xmail
administration extensions.
It allows the administrator of the mail server to perform configuration
management and
monitoring tasks for the mail server.
It allows the postmaster for each domain the Xmail server is configured to
perform management functions.
It allows the users who have a mail account to manage their account

Hi there !

When we try to log in with a username and a wrong password the server
response with a message like: -00024 invalid password.
When we take a look at the code below we see that the function check if
the first character is a "-".
For this case the function return false and exit.

code: class.xmail.php
if ($ret[0] == '-') { // not logged in
                          $this->xm_err_msg = $ret; // get error msg
                          return FALSE;
                          echo "$ret";

The problem occurs when we try to log in with an overlong password
because we get no response message from the server and the function dont

Now when we login with a username like postmaster () localhost and an
overlong password
we bypass the error handler and successfully log in.

code: from login.inc

     $mail_server->xm_ctrl_p = xmdecrypt($servers["$form_server"][3]);
     $logged_in = $mail_server->userauth($mail_server->xm_user_d,
$mail_server->xm_user_u, $mail_server->xm_user_p);
     break;                                                       /* here we try to log in */

     if ($logged_in != "The operation completed successfully.")
     $_SESSION['mail_server'] = $mail_server;
     $_SESSION['logged_in'] = $logged_in;            /* take a look at the
session vars */

Vendor Status: The Vendor is informed !

Solution: Maybe insert a maxsize tag to the passwords input field.

Discovered by Steve

Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]