JVN#04288738
Active! mail vulnerable to information disclosure
Overview
Active! mail contains an information disclosure vulnerability.
Products Affected
- Active! mail 6
Description
Active! mail provided by TransWARE is a webmail software. Active! mail contains an information disclosure vulnerability.
Impact
If the "external public interface" is enabled, an attacker who can log into the server may obtain users credentials.
Solution
Restrict log-in to the server
Allow connections only from an administrator or trusted users.
Do not use the "external public interface" function
Turn off the "external public interface" if the function is not necessary.
For more information, refer to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2013.04.04
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | requires you to login into the box to a shell or remote desktop |
|
| Authentication | login caused to be created by an administrator |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Mitsuru Ogino of Sugiyama Jogakuen reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2013-2302 |
| JVN iPedia |
JVNDB-2013-000031 |