Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:2216 |
| Message | WEB-CGI readmail.cgi access |
| Summary | This event is generated when an attempt is made to access readmail.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in Ipswitch IMail 7.04 and earlier. |
| Impact | Denial of service. |
| Detailed Information | Ipswitch IMail is a mail server that supports multiple mail protocols. Its web mail implementation contains a vulnerability in readmail.cgi where, if a mailbox name with more than 248 dot characters (.) is requested, the server will crash. It has also been reported that this is caused by a buffer overflow error that may allow an attacker to execute arbitrary code, but this has not been confirmed. |
| Affected Systems | Mail servers running Ipswitch Imail 7.04 and earlier with web mail enabled. |
| Attack Scenarios | An attacker sends an HTTP request to readmail.cgi for a mailbox with more than 248 dot characters in the mailbox name parameter. The mail server will crash and must be restarted. |
| Ease of Attack | Simple. |
| Corrective Action | Upgrade to a newer version or apply the vendor-supplied hotfix available at ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail704.exe. |
| Additional References | Bugtraq http://www.securityfocus.com/bid/3427 |
| Rule References | bugtraq: 3427 bugtraq: 4579 cve: 2001-1283 nessus: 11748 |
--
DID:636446
--
http://www.aanval.com/