[ SOURCE: http://www.secureroot.com/security/advisories/9771429256.html ] Ok, This is my second post in the years and I have been reading all your postings so far. You all are doing a great job indeed. I would like to point out a security problem in MDaemon mail server (even in ver 3.5.1 the latest). My setup: Windows NT 4.0 server (SP 6.0a) MDaemon Pro ver 3.5.1 (The latest update I downloaded last night) Note: On Windows NT machines, you must be able to login to use this exploit. On Windows 98, anybody has access to the desktop could do it. Problem: When the MD server is locked, any one can simply bypass the "locked server" security and can do anything they want. Description: If a mail server administrator wanted to deny access to MD server , he right clicks on the system tray Icon and select "lock server" and then MDaemon will ask for a password and again ask to confirm it. Whenever you wanted to open MD window, you double click on the icon at system tray, MD will ask for the password. If you enter the correct password, you will be allowed inside. The security could be bypassed here. Just double click on the system tray icon of MDaemon to start. Now, MDaemon will prompt for the password. Without entering any password the, just click on Cancel button. AND IMMEDIATELY PRESS THE ENTER KEY and YOU WILL BE TAKEN INTO MDAEMON. You can do whatever you wanted to do with MDaemon and then safe minimize it to close the window. This is exploit can be used to add/delete/modify any email accounts and mailing list. also new domains could be added. Any mails to any accounts could be forwarded and a lot more. I found this problem even in the very early versions of MDaemon. Two weeks back I sent an email to ALT.COM asking for their email address to report the security problem in MDaemon and they never replied. And I used their website to send a message and I received NO reply at all. So, I decided to post this message to BUGTRAQ and also CC to MDaemon Beta list. Thank you all RIYAD >From SRI LANKA ------------------------------------------- "Intelligence is when you discover something no one else has,"