hMailServer Hardcoded Cryptographic Key Vulnerability in BlowFish Component Allows Password Decryption

A vulnerability exists in hMailServer versions 5.8.6 and 5.6.9-beta due to the use of a hardcoded cryptographic key in the BlowFish component. This flaw enables an attacker to decrypt passwords used in database connections, which are stored in the hMailServer.ini configuration file. The vulnerability arises because the encryption algorithm relies on a fixed key that is not secret, compromising the confidentiality of database connection passwords.

Impact

Exploitation of this vulnerability leads to unauthorized access to database connection passwords, allowing for potential manipulation or extraction of database information.

Reproduction

The vulnerability can be reproduced by installing hMailServer 5.8.6 or 5.6.9-beta and initiating the internal database setup process. During this process, the application uses a hardcoded key to encrypt the database password, which is then saved in the hMailServer.ini file. The same key can be used to decrypt the password, granting access to the database.