Some versions of MiraMail store username and passwords in a text file without using encryption.
MiraMail is a news server for Windows-based hosts. Versions of MiraMail up to and including 1.04 store MiraMail user data, including usernames and passwords, in unencrypted plaintext stored in a '.ini' file.
Any user with access to the .ini file can learn all usernames and passwords used by MiraMail.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to Chris Lathem for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-08-07|
|Date Last Updated:||2002-08-07 16:00 UTC|