Author:    Stefan Lochbihler
Date:      6. Juli 2005
Affected   Software: PHPXMAIL
Software   Version: 0.7 -> 1.1
Software   URL: http://phpxmail.sourceforge.net/
Attack:    Authentication Bypass



Overview:
PhpXmail is a web based management software for the Xmail mail server
written in php.
It's main usage is as a GUI (Graphic User Interface) to the Xmail
administration extensions.
It allows the administrator of the mail server to perform configuration
management and
monitoring tasks for the mail server.
It allows the postmaster for each domain the Xmail server is configured to
perform management functions.
It allows the users who have a mail account to manage their account
settings.


Hi there !

Details:
When we try to log in with a username and a wrong password the server
response with a message like: -00024 invalid password.
When we take a look at the code below we see that the function check if
the first character is a "-".
For this case the function return false and exit.


code: class.xmail.php
if ($ret[0] == '-') { // not logged in
                           $this->xm_err_msg = $ret; // get error msg
                           return FALSE;
                           echo "$ret";
                           die;
                           exit;
                   }


The problem occurs when we try to log in with an overlong password
because we get no response message from the server and the function dont
exit.

Now when we login with a username like postmaster@localhost and an
overlong password
we bypass the error handler and successfully log in.


code: from login.inc

      default:
      $mail_server->xm_ctrl_p = xmdecrypt($servers["$form_server"][3]);
      $logged_in = $mail_server->userauth($mail_server->xm_user_d,
$mail_server->xm_user_u, $mail_server->xm_user_p);
      break;                /* here we try to log in */

      if ($logged_in != "The operation completed successfully.")
      $_SESSION['mail_server'] = $mail_server;
      $_SESSION['logged_in'] = $logged_in;          /* take a look at the
session vars */



Vendor Status: The Vendor is informed !

Solution: Maybe insert a maxsize tag to the passwords input field.



Discovered by Steve





-- 
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/