Icon View Incident Report

Serious Serious
Reported By: Joerg Philipp
Reported On: 6/3/2003
For: Version 3.24 Build 1
# 1362 Security Hole in Server Permits Login with a Blank User Name and Password

There is a security hole in the administration session of the Database Server. I can get full administrative access without a username and password.

I found it while using a personal firewall on client side (Windows XP), which blocks SrvAdmin for some seconds. See screenshoot srvadmin1.gif: when Kerio Personal Firewall shows its window, SrvAdmin blocks after some seconds (its menu bar becomes white). Then I permit the connection. SrvAdmin is reactivated, but the login window isn't shown. Then I can click on "Login to Server" again and get instant access to the server without asking for username and password! If I move the SrvAdmin window to the side, I will see the login window behind.

In the Logfile I found, that there is no Admin login for this session. But if I close Srvadmin, then there is a Admin logout with empty username.

Resolution Resolution
Fixed Problem on 7/16/2003 in version 3.25 build 1