Vulnerability

    SoftArc's FirstClass

Affected

    SoftArc's FirstClass E-mail Client (all versions)

Description

    Mnemonix  found  following.  SoftArc  produce  FirstClass Intranet
    Server and  the client  software used  to access  the server.  The
    UserID and password to connect  to the server are stored  in clear
    text by the e-mail client in the relevant *.fc file.

    Versions known to do this are 5.506 (the most up to date  version)
    and 3.5.   Other versions  are likely  to have  this problem  too.
    5.506 stores the account information in the

        %FirstClassInstallDirectory%\Settings\home.fc

    file and 3.5 in the

        %FirstClassInstallDirectory%\Settings\network.fc

    file.

Solution

    However,  the  documentation  recommends  that  the user NOT store
    their userid and password in  the settings document (the "  *.fc "
    files  referred  to  above).   If  it  is stored, then anyone with
    physical access to the client computer will be able to access  the
    user's account  on the  FirstClass Server.   It is  very much like
    saving your POP3 password in  Outlook and then giving someone  use
    of  your  computer  while  you  are  away  from  the console.  All
    versions of FirstClass client software are affected and  presently
    there are no plans to change this.

    The account  information can  be saved  to any  FirstClass setting
    document. Again, it is  not recommended that anyone  save password
    information for any protected application where the client console
    is accessible to untrusted persons.  This is especially true where
    the user is an administrator of a system.