Security Bug: 10.25

Discussion forum for Enterprise Edition.
Post Reply
kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Security Bug: 10.25

Post by kiamori » Wed Jul 31, 2019 3:03 pm

Users able to login with both new and old password after doing a password reset in MMC.

kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori » Wed Jul 31, 2019 10:03 pm

When can I expect a fix.
Last edited by kiamori on Thu Aug 01, 2019 1:42 am, edited 1 time in total.

MailEnable-Ian
Site Admin
Posts: 8975
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Security Bug: 10.25

Post by MailEnable-Ian » Thu Aug 01, 2019 12:05 am

Hi,

I replied to your ticket.
Regards,

Ian Margarone
MailEnable Support

kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori » Thu Aug 01, 2019 1:05 am

I'm just going to post the fix that I found for anyone else that runs into this issue because I just stumbled across it while backing up the post office account before I was going to delete the whole thing and recreate it from a backup.

First make backups of everything before making any changes.

Then I deleted the ME/Config/AUTH.SAV file,
I then forced it to recreate the file by using MMC to change a password. At this point you should verify that it recreated the AUTH.SAV file, if not restore it from your backup.

Next I used the ME MMC to export users from the effected postoffice: right click on the postoffice > Export Users > Select the following[PostOffice, Username,Password] then choose a temp location for the export and click Export. At this point I received a message stating that some passwords were missing and temp passwords would be generated for each affected account.
export.jpg
export.jpg (28.74 KiB) Viewed 2986 times
Accept and complete. Once this completes restart the ME services and verify that the old password no longer works, in my case I had to update the password one more time for it to properly clear the password cache.

Falconhawk
Posts: 1
Joined: Thu Jul 25, 2019 1:01 am
Location: https://4wdlife.com/

Re: Security Bug: 10.25

Post by Falconhawk » Mon Aug 12, 2019 4:12 am

kiamori wrote:
Thu Aug 01, 2019 1:05 am
verify that the old password no longer works
What to do if the old password still works, repeat all the steps?

kiamori
Posts: 224
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori » Sat Aug 17, 2019 5:52 am

Did you wait more than for a few minutes, ME uses a password cache which can allow both passwords for a short duration after making the change. If after a few minutes its still allowing both passwords and you've followed the instructions I would post here and make a ticket with a link back to this thread so they have it for reference.

Post Reply