Bugtraq mailing list archives
Re: Tumbleweed Worldsecure (MMS) BLANK '
From: Neil Pike <NeilPike () COMPUSERVE COM>
Date: Sun, 13 Aug 2000 15:54:50 -0400
I reported the same thing to them a month ago. They have an article on it, but they don't make it public unless you ask! (And the install instructions say nothing about it). I amended MSDE to use integrated security before I told them (which fixes the problem and should be their default).
I've recently discovered the following vulnerability: Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products Version: 4.3 - 4.5 (all builds) Description: Product uses Microsoft's MSDE (Database engine) which is a
stripped
down version of the Microsoft SQL server 7.0. During the setup stage, I
was
never asked for the 'sa' account password, which led me to think that application is either generating a random password every time it installs
or the
password is the same for all installations. Well, after thurther
research I
discovered that the password is left BLANK !!! This is a huge remotely exploitable vulnerability. After I remotely connected to the database
(with
'sa' account and NO PASSWORD) I was able to delete the databases (denial
of
service, product becomes unusable) and modify the data (customer
certificates,
configuration of the product, logs, etc.). Tumbeweed refuses to acknowledge this vulnerability, which caused major
outrage
among my customers. Therefore, I have no choice but to go public about
this
vulnerability. Please feel free to contact me with ANY questions regarding this issue,
although
I would like to remain anonymous. Thank you very much. ------------------------------------------------------------ Hey you! Claim your FREE anonymous email account: Click Here -> http://www.anonymous.to
Neil Pike MVP/MCSE Protech Computing Ltd
Current thread:
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 14)
- <Possible follow-ups>
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 14)
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 17)