| VID |
12063 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The MailEnable HTTPMail service is vulnerable to a Content-Length Denial Of Service vulnerability.
MailEnable is a POP3 and SMTP server for Microsoft Windows platforms. The professional version of MailEnable includes an additional mail access service called HTTPMail. HTTPMail is a mail access protocol based on WEBDAV that allows you to access your mail from the server without downloading the mail (as is often the case with POP).
MailEnable Professional Edition versions 1.19 and earlier are vulnerable to a denial of service attack, caused by a vulnerability in the MailEnable HTTP header parsing code. By sending an HTTP request including a specially-crafted content-length header field to the HTTP server, a remote attacker could buffer a overflow and cause the affected HTTP service to crash, or possibly execute arbitrary code on the system.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=8301
http://packetstormsecurity.nl/0408-exploits/mailenable.txt
http://www.securitytracker.com/alerts/2004/Aug/1010837.html
* Platforms Affected:
MailEnable Pty. Ltd, MailEnable Professional Edition 1.19 and earlier
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of MailEnable Professional (1.2 or later), available from the MailEnable Web site at http://mailenable.com/
-- OR --
Apply the HTTPMail hotfix from 9th August 2004, available from the MailEnable Hotfix Web site at http://www.mailenable.com/hotfix/ |
| Related URL |
(CVE) |
| Related URL |
10838 (SecurityFocus) |
| Related URL |
16863 (ISS) |
|
