[Japanese]

JVNDB-2009-000077

Active! mail 2003 cookie disclosure vulnerability

Overview

Active! mail 2003 from TransWARE Co. contains a vulnerability in which cookies may be disclosed.

Active! mail 2003 from TransWARE Co. is a web-based email software. Active! mail 2003 contains a vulnerability in which cookies may be disclosed.

Kenichi Maehashi of CIS RAT at Hosei University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


TransWARE Co.
  • Active! mail 2003 Build 2003.0139.0871 and earlier
  • Active! mail 2003 Build 2003.0139.0911 and Build 2003.0139.0938 (if the configuration file "system.cfg" has not been fixed)

Impact

A remote attacker could impersonate a user of Active! mail 2003. As a result, the user's email could be viewed or configurations could be modified.
Solution

[Update the Software]
Update to the latest version according to the information provided by the vendor.

[Change the Setting]
For Active! mail 2003 Build 2003.0139.0911 and Build 2003.0139.0938, this vulnerability can be addressed by fixing the configuration file "system.cfg".
For more information, refer to the vendor's website.
Vendor Information

TransWARE Co.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-4354
References

  1. JVN : JVN#36207497
  2. National Vulnerability Database (NVD) : CVE-2009-4354
  3. ISS X-Force Database : 54752
Revision History

[2009/12/15]
  Web page published