========================================================================================== Alt-N MDaemon's WorldClient Disclosure of Authentication Credentials Vulnerability ========================================================================================== Software: Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Disclosure of Authentication Credentials Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Disclosure_of_Authentication_Credentials.html Discovered: 01/10/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient application is prone to an authentication credentials disclosure via a specially formulated HTTP request. This is possible because the application replies to the request with a response that contains the credentials in an encoded (reversible) format. Attackers may trick an unsuspecting user into opening a malicious email message -using the WorldClient application- and stealing his/her authentication credentials without the user ever noticing. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. PoC Exploit: ============ Vulnerable URL: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=WebAdmin Encoded Auth String: GaDAQBQOP3cymUmJxiNVaz80JTAklc/c+q7fAhmklkQSdp0XMo2X/4aVhqMtLz4OLuCf6v2T0Gc9KKHkvn ok0B9ARyso9/k Decoded Auth String: User=test%40ac1dc0de.com&Password=111111Ab&TimeStamp=1344532850&Lang=en