From peter.grundl@DEFCOM.COM Thu Mar 15 11:20:59 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 15 Mar 2001 14:25:45 +0100 Subject: [BUGTRAQ] def-2001-11: MDaemon 3.5.4 Dos-Device DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-11 MDaemon 3.5.4 Dos-Device DoS Author: Peter Gründl Release Date: 2001-03-15 ====================================================================== ------------------------=[Brief Description]=------------------------- Webservices in the Mdaemon package can be crashed by requesting a malicious URL. ------------------------=[Affected Systems]=-------------------------- - MDaemon 3.5.4 Standard for Windows NT/2000 - MDaemon 3.5.4 Pro for Windows NT/2000 ----------------------=[Detailed Description]=------------------------ There is a problem with the way the Worldclient (default port 3000) and the Webconfig service (default port 3001) handle requests for dos- devices. If a user requests eg. "http://www.foo.org:3000/aux", the Worldclient service will crash. The same fault affects the Webconfig service. The service needs to be restarted from the Mdaemon console. ---------------------------=[Workaround]=----------------------------- Upgrade to MDaemon 3.5.6: http://mdaemon.deerfield.com/download/getmdaemon.cfm -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 3rd of March, 2001 and the vendor released a patch on the 9th of March, 2001. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================