Vulnerability Note VU#858726

MailPost discloses sensitive system information when operating in debug mode

Overview

A vulnerability is reported to exist in MailPost version 5.1.1sv and possibly earlier versions that may permit a remote attacker to gain sensitive information about the server configuration and environment..

I. Description

According to the ProCheckUp report, MailPost contains a vulnerability that may permit a remote attacker to gain sensitive information about the server configuration and environment.. When the application is in debug mode, an attacker can retrieve sensitive configuration and environment information about the target machine by sending a *debug* query string to the script. Note that debug mode is enabled in the default configuration.

II. Impact

This information could be used to determine sensitive information about the server's environment.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem.

This vulnerability may be mitigated by disabling the debug mode.

Systems Affected

Vendor	Status	Date Updated
MailPost	Vulnerable	3-Nov-2004

References

http://www.procheckup.com/security_info/vuln_pr0409.html

Credit

Thanks to ProCheckUp for reporting this vulnerability.

This document was written by Jason A Rafail and is based on information provided by ProCheckUp.

Other Information

Date Public	11/03/2004
Date First Published	11/03/2004 11:57:51 AM
Date Last Updated	11/03/2004
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	3.00
Document Revision	2

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader