SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MDaemon (Alt-N) Vendors:   Alt-N Technologies
Alt-N's MDaemon Mail Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1001096
SecurityTracker URL:  http://securitytracker.com/id/1001096
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): MDaemon 3.5.4 Standard for Windows NT/2000; MDaemon 3.5.4 Pro for Windows NT/2000
Description:   Defcom Labs reported a vulnerability in the MDaemon e-mail server that lets remote users crash the MDaemon web services.

The MDaemon POP3/SMTP/IMAP4 email server can be crashed by a remote user submitting a malicious URL to the MDaemon web services.

The vulnerability is due to the manner in which the Worldclient (default port 3000) and the Webconfig service (default port 3001) handle requests for Windows devices. For example, if a remote user requests "http://www.foo.org:3000/aux", the Worldclient service will crash. The Webconfig service is subject to the same vulnerability as the Worldclient.

Once it has crashed, the service must be restarted from the MDaemon console.

Impact:   A remote user can cause the MDaemon web service to crash.
Solution:   Upgrade to MDaemon 3.5.6.
Vendor URL:  mdaemon.deerfield.com/download/getmdaemon.cfm (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  def-2001-11: MDaemon 3.5.4 Dos-Device DoS


======================================================================
                  Defcom Labs Advisory def-2001-11

                  MDaemon 3.5.4 Dos-Device DoS

Release Date: 2001-03-15
======================================================================
------------------------=[Brief Description]=-------------------------
Webservices in the Mdaemon package can be crashed by requesting a
malicious URL.

------------------------=[Affected Systems]=--------------------------
- MDaemon 3.5.4 Standard for Windows NT/2000
- MDaemon 3.5.4 Pro for Windows NT/2000

----------------------=[Detailed Description]=------------------------
There is a problem with the way the Worldclient (default port 3000)
and the Webconfig service (default port 3001) handle requests for dos-
devices.

If a user requests eg. "http://www.foo.org:3000/aux", the Worldclient
service will crash. The same fault affects the Webconfig service.
The service needs to be restarted from the Mdaemon console.

---------------------------=[Workaround]=-----------------------------
Upgrade to MDaemon 3.5.6:
http://mdaemon.deerfield.com/download/getmdaemon.cfm

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 3rd of March,
2001 and the vendor released a patch on the 9th of March, 2001.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC