Bugtraq mailing list archives
def-2001-13: NTMail Web Services DoS
From: Peter Gründl <peter.grundl () DEFCOM COM>
Date: Tue, 20 Mar 2001 14:19:49 +0100
====================================================================== Defcom Labs Advisory def-2001-13 NTMail Web Services DoS Author: Peter Gründl <peter.grundl () defcom com> Release Date: 2001-03-20 ====================================================================== ------------------------=[Brief Description]=------------------------- NTMails web services contain a flaw that could allow a malicious attacker to crash the web services using a malformed URL. ------------------------=[Affected Systems]=-------------------------- - NTMail V6.0.3c for Windows NT/2000 ----------------------=[Detailed Description]=------------------------ It appears that while fixing another URL related problem, Gordano accidently introduced a new one. The web services on TCP ports 8000 and 9000 are both vulnerable to a "LongURL attack". That means that a request larger than 255 characters will crash the service. A crash will take down the services listening on TCP ports: 8000 (NTMail configuration), 8025, 8080, 8888 and 9000 (GLWebMail). ---------------------------=[Workaround]=----------------------------- Install the patch located at: ftp://ftp.gordano.com/ntmail6/hotfixes/ntmail6C_Intel_20010317.zip -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 9th of March, 2001 and a patch was released by the vendor on the 17th of March 2001. ====================================================================== This release was brought to you by Defcom Labs labs () defcom com www.defcom.com ======================================================================
Current thread:
- def-2001-13: NTMail Web Services DoS Peter Gründl (Mar 20)