Background
==========
DBMail is a mail storage and retrieval daemon that uses SQL databases
as its data store. IMAP and POP3 can be used to retrieve mails from the
database.
Affected packages
=================
users can send and receive email using any standards-based client, including Microsoft Outlook(r),
Outlook Express(r), or Eudora(r). Or, users can access email from anywhere via IMail's customizable Web
messaging, available in eight languages.
Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate
users from its own database, an active directory database, or from any ODBC-compliant data store, making
life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade
process."
0x02 : Vulnerability Details
McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:
# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
