There is a 'feature' of Microsoft SQL 7.0 (6.5 not tested, but assumed to do it as well) to allow multiple queries from a database through one statement. Access is not affected by this, as it only processes the first statement in a string. Examples of this are shown in article ASB99-04 at www.allaire.com/security. As far as I can tell, version 5.x and 6.x are affected. What this means to us is that we have to 'check' the input source to verify that no "unchecked" input is allowed through. The exploit will allow unverified SQL statements to be executed on the SQL server hosting Imail. This statement will run with the permissions set by the ODBC connection. At the least, data can be changed, added, deleted from the imail table. This has been verified with POP3 and Web Messaging, although SMTP and IMAP should be just as vulnerable. You do not need a valid user on the domain to do this. Ipswitch has known about this problem since mid February 2000, and has yet to issue a patch. Officially, Imail is not supported with anything other than MS Access, and Access is not affected by this. I contacted Mr. Nice, and he has updated his life-saving odbcuser.dll file to include checking against this, and similar attacks. This update was done 5/22, so if you have an older copy of his file, I suggest you update your copy ASAP. This article is being submitted here first, with a followup to be posted to BugTraq within a few days. I wanted to warn users to secure their systems before the general public sees this issue. For those that need the url to the unsupported Imail odbcuser.dll file, point your browser to http://home.worldnet.att.net/~niceman/ and download the file listed. Please understand that this file was not created by Ipswitch, and therefore, is not supported by them if you run into any problems. Hope this helps! ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list.
