From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 4 Dec 2005 10:44:18 +0200
Subject: [NT] MailEnable IMAP Rename Command DoS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051204092243.448C6573B@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MailEnable IMAP Rename Command DoS
------------------------------------------------------------------------
SUMMARY
" <http://www.mailenable.com/>; MailEnable's mail server software provides
a powerful, scalable hosted messaging platform for Microsoft Windows."
By supplying MailEnable IMAP Server with a special request, remote
attackers can cause the IMAP server to crash, causing a DoS.
DETAILS
Vulnerable Systems:
* MailEnable Pro version 1.7
* MailEnable Enterprise version 1.1
Attacker can remotely crash the IMAP server by sending the IMAP command of
rename with a mailbox name that does not exist on the server.
Vendor Status:
The vendor has issued a patch:
<http://www.mailenable.com/hotfix/MEIMAPS.ZIP>;
http://www.mailenable.com/hotfix/MEIMAPS.ZIP
To install:
1. Stop the IMAP service
2. Rename the MEIMAPS.EXE file in the Mail Enable\bin directory as this
will allow you to roll back this fix
3. Extract the zip file from the URL above to the Mail Enable\bin
directory
4. Start the IMAP service
Disclosure Timeline:
November 24, 2005 10:50AM Vendor notified
November 24, 2005 13:28PM Patch released
ADDITIONAL INFORMATION
The information has been provided by <mailto:jzlatin@ramat.cc.> Josh
Zlatin.
The original article can be found at:
<http://zur.homelinux.com/Advisories/MailEnableImapDos.txt>;
http://zur.homelinux.com/Advisories/MailEnableImapDos.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
