Re: Tumbleweed Worldsecure (MMS) BLANK '

[Neil Pike <NeilPike () COMPUSERVE COM>]

 I reported the same thing to them a month ago.  They have an article on
it, but they don't make it public unless you ask!  (And the install
instructions say nothing about it).  I amended MSDE to use integrated
security before I told them (which fixes the problem and should be their
default).
 
> I've recently discovered the following vulnerability:
> Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk
> Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
> Version: 4.3 - 4.5 (all builds)
> Description: Product uses Microsoft's MSDE (Database engine) which is a
stripped
> down version of the Microsoft SQL server 7.0.  During the setup stage, I
was
> never asked for the 'sa' account password, which led me to think that
> application is either generating a random password every time it installs
or the
> password is the same for all installations.  Well, after thurther
research I
> discovered that the password is left BLANK !!!  This is a huge remotely
> exploitable vulnerability.  After I remotely connected to the database
(with
> 'sa' account and NO PASSWORD) I was able to delete the databases (denial
of
> service, product becomes unusable) and modify the data (customer
certificates,
> configuration of the product, logs, etc.).
>
> Tumbeweed refuses to acknowledge this vulnerability, which caused major
outrage
> among my customers.  Therefore, I have no choice but to go public about
this
> vulnerability.
>
> Please feel free to contact me with ANY questions regarding this issue,
although
> I would like to remain anonymous.
>
> Thank you very much.
>
> ------------------------------------------------------------
> Hey you! Claim your FREE anonymous email account:
> Click Here -> http://www.anonymous.to

 Neil Pike MVP/MCSE
 Protech Computing Ltd