921

MDaemon's WorldClient Username Enumeration Vulnerability

The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability. 

MDaemon's WorldClient Username Enumeration Vulnerability

The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability.

If the Free/Busy server is in use and Administrators would like to protect themselves against this attack a password can be configured using the following instructions:

  1. Open the MDaemon user interface.
  2. Select the Setup menu.
  3. Select Web and IM Services.
  4. In the WorldClient section select Calendar.
  5. In the Free/busy password field enter the desired password.
  6. Click the OK button.

Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL. 

Additional Comments

Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL.

Note: If there was an existing Free/Busy password configured prior to updating to 13.0.4, resetting the Free/Busy password is required.