Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: MDaemon SMTP/POP/IMAP server DoS
From: "Basil Hussain" <basil.hussain () kodakweddings com>
Date: Wed, 30 Oct 2002 10:10:02 -0000

The website still offers 6.0.7 (vulnerable) version for download,
So apparently no workaround exists except for shutting it down until
the patch or newer version is available.

I got this in response to my enquiry with AltN about a fix for the problem:

This has been fixed in 6.5 which will be released later today.
If you are under valid upgrade protection you should get it for
free.

I have just installed and tested 6.5 and it appears not to be vulnerable:

+OK somedomain.com POP MDaemon 6.5.0 ready
<MDAEMON-F200210300930.AA305746MD1473 () somedomain com>
user blah
+OK blah... Recipient ok
pass 123456
+OK blah () somedomain com's mailbox has 11 total messages (33599 octets).
uidl 2147483648
+OK
1 MD50000008792:MSG:1168:29523767:3598244718
[...]
11 MD50000008802:MSG:4200:29523957:978208478
.
uidl 2147483649
+OK
1 MD50000008792:MSG:1168:29523767:3598244718
[...]
11 MD50000008802:MSG:4200:29523957:978208478
.
uidl 123456789012345678901234567890
-ERR no such message
quit
+OK blah () somedomain com somedomain.com POP Server signing off (11 messages
left)

Note that for large integers it just returns from the UIDL command as if no
argument were passed at all, but for even larger strings of digits, it
errors that no such message exists.

Basil Hussain


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault