MICI NetFax Server SMTP Password Disclosure Vulnerability
Vulnerability
A vulnerability exists in MICI NetFax Server in versions prior to 3.0.1.0, allowing authenticated users to disclose the cleartext password of a configured SMTP server. This is achieved by sending an HTTP GET request to the /config.php endpoint. While the application properly redacts the SMTP password in the user interface, the password is exposed in cleartext through the configuration file accessed via the vulnerable endpoint.
Impact
Exploitation of this vulnerability leads to the unauthorized disclosure of SMTP passwords, which could compromise email service accounts and potentially impact other resources within the environment.
Reproduction
To reproduce this vulnerability, an authenticated user can send a GET request to the /config.php endpoint. The response will include the cleartext password for the configured SMTP server. This vulnerability can be exploited using default credentials, which are automatically provided in cleartext responses to the client.
Remediation
Users are advised to change default administrative passwords and review the risks associated with account credentials provided to the system for service integration purposes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.