Security Bug: 10.25

Discussion forum for Enterprise Edition.
Post Reply
kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Security Bug: 10.25

Post by kiamori »

Users able to login with both new and old password after doing a password reset in MMC.

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori »

When can I expect a fix.
Last edited by kiamori on Thu Aug 01, 2019 1:42 am, edited 1 time in total.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Security Bug: 10.25

Post by MailEnable-Ian »

Hi,

I replied to your ticket.
Regards,

Ian Margarone
MailEnable Support

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori »

I'm just going to post the fix that I found for anyone else that runs into this issue because I just stumbled across it while backing up the post office account before I was going to delete the whole thing and recreate it from a backup.

First make backups of everything before making any changes.

Then I deleted the ME/Config/AUTH.SAV file,
I then forced it to recreate the file by using MMC to change a password. At this point you should verify that it recreated the AUTH.SAV file, if not restore it from your backup.

Next I used the ME MMC to export users from the effected postoffice: right click on the postoffice > Export Users > Select the following[PostOffice, Username,Password] then choose a temp location for the export and click Export. At this point I received a message stating that some passwords were missing and temp passwords would be generated for each affected account.
export.jpg
export.jpg (28.74 KiB) Viewed 12724 times
Accept and complete. Once this completes restart the ME services and verify that the old password no longer works, in my case I had to update the password one more time for it to properly clear the password cache.

Falconhawk
Posts: 1
Joined: Thu Jul 25, 2019 1:01 am
Location: https://4wdlife.com/

Re: Security Bug: 10.25

Post by Falconhawk »

kiamori wrote:
Thu Aug 01, 2019 1:05 am
verify that the old password no longer works
What to do if the old password still works, repeat all the steps?

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Bug: 10.25

Post by kiamori »

Did you wait more than for a few minutes, ME uses a password cache which can allow both passwords for a short duration after making the change. If after a few minutes its still allowing both passwords and you've followed the instructions I would post here and make a ticket with a link back to this thread so they have it for reference.

Post Reply