SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Cyrus IMAP Server Vendors:   Carnegie Mellon University
Cyrus IMAP Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1002344
SecurityTracker URL:  http://securitytracker.com/id/1002344
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 8 2001
Impact:   Denial of service via network

Version(s): Cyrus 2.0.15 and 2.0.16, possibly others
Description:   A denial of service vulnerability has been reported in the Cyrus IMAP e-mail server. Remote users can cause the mail server to crash.

It is reported that a remote user with a PHP-based IMAP client can eventually cause the Cyrus mail server to hang, requiring a hard server reboot to return to normal operation. This condition has reportedly been observed when using IMP and Jawmail webmail packages.

Impact:   A remote user can cause the e-mail server to crash, requiring a reboot to return to normal operation.
Solution:   No solution was available at the time of this entry.
Vendor URL:  asg.web.cmu.edu/cyrus/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  tested on BSDi 4.2

Message History:   None.


 Source Message Contents

Subject:  Possible Denial of Service with PHP and Cyrus IMAP on BSDi 4.2


Use of the php IMAP functions on BSDi webserver with Apache against a cyrus
server on BSDi 4.2 will eventually cause the mail server to hang, forcing a
hard reboot.

A BSDi 4.2 Cyrus server could be remotely DOS'd if external IMAP access is
available.

This has been experienced running IMP and Jawmail, two popular OSS webmail
packages which do not exhibit this behavior on other platforms.

This has been tested with the php compiled against c-client versions 2000
and 4.7, and with Cyrus 2.0.15 and 2.0.16 as the mail server.

The cyrus sever does not exhibit this behavior with regular mail clients.

It has also been tested with php 4.0.4pl1 and php 4.0.6

At this time, I am unable to determine if the issue is with the c-client or
with PHP.

M. Gamble
Echo Online Administration

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC