Author: Stefan Lochbihler Date: 6. Juli 2005 Affected Software: PHPXMAIL Software Version: 0.7 -> 1.1 Software URL: http://phpxmail.sourceforge.net/ Attack: Authentication Bypass Overview: PhpXmail is a web based management software for the Xmail mail server written in php. It's main usage is as a GUI (Graphic User Interface) to the Xmail administration extensions. It allows the administrator of the mail server to perform configuration management and monitoring tasks for the mail server. It allows the postmaster for each domain the Xmail server is configured to perform management functions. It allows the users who have a mail account to manage their account settings. Hi there ! Details: When we try to log in with a username and a wrong password the server response with a message like: -00024 invalid password. When we take a look at the code below we see that the function check if the first character is a "-". For this case the function return false and exit. code: class.xmail.php if ($ret[0] == '-') { // not logged in $this->xm_err_msg = $ret; // get error msg return FALSE; echo "$ret"; die; exit; } The problem occurs when we try to log in with an overlong password because we get no response message from the server and the function dont exit. Now when we login with a username like postmaster@localhost and an overlong password we bypass the error handler and successfully log in. code: from login.inc default: $mail_server->xm_ctrl_p = xmdecrypt($servers["$form_server"][3]); $logged_in = $mail_server->userauth($mail_server->xm_user_d, $mail_server->xm_user_u, $mail_server->xm_user_p); break; /* here we try to log in */ if ($logged_in != "The operation completed successfully.") $_SESSION['mail_server'] = $mail_server; $_SESSION['logged_in'] = $logged_in; /* take a look at the session vars */ Vendor Status: The Vendor is informed ! Solution: Maybe insert a maxsize tag to the passwords input field. Discovered by Steve -- Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/