The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability.
MDaemon's WorldClient Username Enumeration Vulnerability
The
Free/Busy server included with WorldClient can be used to determine if
an email address is valid in MDaemon. The Free/Busy server is accessed
by programs such as Microsoft Outlook to check attendee availability
when scheduling meetings. WorldClient and BES do not require the
Free/Busy server to check availability.
If the Free/Busy server
is in use and Administrators would like to protect themselves against
this attack a password can be configured using the following
instructions:
- Open the MDaemon user interface.
- Select the Setup menu.
- Select Web and IM Services.
- In the WorldClient section select Calendar.
- In the Free/busy password field enter the desired password.
- Click the OK button.
Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL.
Additional Comments
Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL.
Note: If there was an existing Free/Busy password configured prior to
updating to 13.0.4, resetting the Free/Busy password is required.