Inter7 vpopmail MySQL Authentication Data Recovery Vulnerability

Inter7 vpopmail is a freely-available software package that provides an way for system administrators to manage virtual email domains and non-system password based email accounts on Qmail or Postfix mail servers.

A vunerability exists in vpopmail that may result in the disclosure of sensitive authentication information when the package is configured to use a MySQL database. The command-line programs included in the package are linked against object files containing this authentication information, stored in cleartext.

The programs are installed with world-readable file access permissions. As a result, it may be possible for an attacker with local access to retrieve the authentication information by examining one of the programs.


Privacy Statement
Copyright 2010, SecurityFocus