[MDaemon-L] Fwd: MDaemon IMAP Denial Of Service

Syafril Hermansyah Tue, 27 Mar 2001 03:14:55 -0800
This is a forwarded message
>From   : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To     : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date   : Sunday, March 25, 2001, 8:49:21 AM
Subject: MDaemon IMAP Denial Of Service

===8<==============Original message text===============
Advisory Name:MDaemon IMAP Denial Of Service
   Discovered:23rd Of March 2001
  Application:Alt-N Technologies MDaemon 3.5.6 - 
Other versions most likely prior to this
     Platform:Windows 2k,95/98/NT - others unknown
     Severity:Denial of service from application
       Credit:[EMAIL PROTECTED]
Vendor Status:Unknown - http://www.mdaemon.com/
Overview:

Some  of  the  commands  for the IMAP server do not have proper bounds
checking,  enabling  a user to shutdown the service remotely.It should
be  noted  that  a  user account is required.The commands affected are
SELECT  and  EXAMINE.The  SELECT  command  selects  a  mailbox so that
messages  in  it  can  be  accessed.EXAMINE  works  in the same way as
SELECT,  however  the  mailbox  is  marked as read- only and cannot be
modified.

Demonstration:

Connect  to  the service which runs on port 143 default and login with
the username and pass.

* OK company.mail IMAP4rev1 MDaemon 3.5.6 ready

1 LOGIN JOE PASSWORD
* OK LOGIN completed
1 SELECT AAAAAAA....

Where  A  is  more  than  250 characters in length, once this is sent,
MDaemon  will  send  back  the  following  error  before  closing  the
connection and terminating:

1 NO Mailbox does not exist

A restart of the application is needed to resume the service, no other
applications are affected and the operating system performs as usual.

[EMAIL PROTECTED]


===8<===========End of original message text===========

Patch  update  tersedia  di  ftp://ftp.dutaint.co.id/mdaemon/md357.exe
atau mirrornya di ftp://ftp.dutaint.com/mdaemon/md357.exe

-- 
Best regards,
 Syafril                            mailto:[EMAIL PROTECTED]

-- 
--MDaemon-L----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.

Untuk menghubungi moderator/List Owner double click link dibawah ini:
   <mailto:[EMAIL PROTECTED]>
Untuk Unsubscribe, double click link dibawah ini langsung kirim
   <mailto:[EMAIL PROTECTED]>
Untuk Subscribe, double click link dibawah ini langsung kirim
  <mailto:[EMAIL PROTECTED]>
--POWERED BY MDAEMON!------------------------------------------------


Anda terdaftar di List ini dg alamat : [email protected]
[MDaemon-L] Fwd: MDaemon IMAP Denial Of Service

Kirim email ke
