NTMail Proxy Exploit

[georger () NLS NET (Geo.)]

NTmail version 5.x (possibly other versions, I haven't checked) has two web
functions. One is a web configuration server which lets you configure the
mail server via a browser. The other is it can also work as a proxy server.
These two functions are set by default to use two different ports (8000 for
configuration and 8080 for proxy). The proxy function has an off switch so
you can turn off proxy and still be able to configure your mail server via
the browser and also to allow your users to read email via the browser.

So lets say you use NTmail and you also have a separate proxy server with
restrictions for certain sites, java, whatever, you have it restricted to
protect your network and keep your users from visiting hacker and nudie
sites.

If the web configuration for NTmail is on port 8000 (default) and proxy in
NTmail is on port 8080 (default) and you have proxy disabled then the users
are forced to go thru your restricted proxy server. Port 8080 does not work.

However if the user changes their proxy setup to point to NTmail on port
8000, it proxies them right out to the internet with no restrictions at all.

This can be a bit of a security issue. Normally I would not post something
like this until the vendor had a patch released. However in this case the
discovery of this was made by Simon Talbot on the NTmail support list and
news of this will probably get out pretty quickly among the users so I
figured it is only fair to let the admins know about the hole as well since
it can be a fairly serious security issue. Also if you have an NTmail server
out on the open internet it can be used by the world as a proxy server.

The workaround is to disable the www configuration service until a patch is
released.

Geo.