Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Privilege escalation flaw in MDaemon 7.2.
From: kf_lists <kf_lists () secnetops com>
Date: Tue, 30 Nov 2004 01:33:05 -0500

When I tested things it was on MDaemon 6.8

Excuse me... they did respond and it was LESS than a year ago. =]. Here is how it went:
------------------------------------------------------
02/03/2004 11:10 AM

Hello!

I have sent this on to the developers.

However, the issue you describe would require a user to have a valid
login and physical access to the machine.  With both of those, they can
login to the server and access the MDaemon GUI, which can also be
further secured with a password.  I'm not dismissing your submission,
just providing feedback.

If you have any questions, please let us know.  Thanks!

-- Billy Pinson Customer Service Lead Alt-N Technologies, Ltd. Helping The World Communicate! http://www.altn.com -------------------------------------------------------------- MDaemon 7.0 is coming! Faster multi-thread/multi-CPU server engine, market leading spam control, improved mobile and PDA support, enhanced security, and killer OWA style web mail. --------------------------------------------------------------

-------------------------------------------------
02/04/2004 06:33 PM

Thanks much... any time estimate on the fix? It sounds as if it may have a low priority since its being added to a list.

-KF

Alt-N Sales - Billy Pinson wrote:

One thing the developers have suggested in the mean time is to change
the service so that it can not interact with the desktop, this would
prevent the GUI from showing up.

If you need GUI access simply run the MDaemon ghost option.  This will
launch the GUI under the users account, rather than the system account.

They have placed this on their list of things to be fixed.

-------------------------------------------------
03/18/2004 10:11 PM
Alt-N Sales - Lina Daaboul wrote:

Hello,

We do not have an estimated time at this time. If you have any questions, please let us know. Thanks!

-KF



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]