Released: January 9, 2002 Discovered: January 3, 2002 by Chris Lathem chris@lathemonline.com Program Overview: MiraMail is a fairly new program to the market, and is intended to be used as a news server. It is developed and maintained by Nevrona Designs. For more information please see www.nevrona.com/miramail. The problem in MiraMail lies in the way it stores its variables: Everything is stored in an ".ini" file in plain text. This includes POP account usernames and passwords. This is not limited to the POP accounts either. The user accounts and groups are also stored in the same file, all in plain text. Any user with access to the directory in which MiraMail is installed can potentially "snoop" the file for accounts and passwords, or could add additional users or groups with ease. Status: Vendor was contacted on January 3, and acknowledged the problem. According to the vendor, the next version to be released (1.05) will encrypt the .ini file with md5 encryption, and will be released in the next couple of weeks. Cheers, Chris Lathem chris@lathemonline.com http://www.lathemonline.com -------------------------------------------------------------------- Please be nice to me, this is my first post. =~]
