The Free/Busy server included with WorldClient can be used to determine if an email address is valid in MDaemon. The Free/Busy server is accessed by programs such as Microsoft Outlook to check attendee availability when scheduling meetings. WorldClient and BES do not require the Free/Busy server to check availability.
	
MDaemon's WorldClient Username Enumeration Vulnerability 
The
 Free/Busy server included with WorldClient can be used to determine if 
an email address is valid in MDaemon. The Free/Busy server is accessed 
by programs such as Microsoft Outlook to check attendee availability 
when scheduling meetings. WorldClient and BES do not require the 
Free/Busy server to check availability. 
If the Free/Busy server 
is in use and Administrators would like to protect themselves against 
this attack a password can be configured using the following 
instructions:
- Open the MDaemon user interface.
- Select the Setup menu.
- Select Web and IM Services.
- In the WorldClient section select Calendar.
- In the Free/busy password field enter the desired password.
- Click the OK button.  
Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL.
Additional Comments
Once the password is configured anyone accessing the Free/Busy server from outside of WorldClient will need to update the search path to include the password by adding “&password=$PASSWORD$”, where $PASSWORD$ is the password specified on the server, to the URL.
Note: If there was an existing Free/Busy password configured prior to
 updating to 13.0.4, resetting the Free/Busy password is required. 

