MailEssentials HTML parser denial of service

mailessentials-html-parser-dos (18725) The risk level is classified as LowLow Risk

Description:

GFi MailEssentials for Microsoft Exchange is vulnerable to a denial of service attack, caused by a vulnerability in Microsoft's HTML parser. A remote attacker could send a specially-crafted HTML email to cause the program to stop processing, resulting in a denial of service.

Platforms Affected:

  • GFI, GFi MailEssentials 10.x
  • GFI, GFi MailEssentials 9.x

Remedy:

Apply the appropriate patch for your system, available from the GFi MailEssentials Web site. See References.

Consequences:

Denial of Service

References:

  • BugTraq Mailing List, Mon Jan 03 2005 - 03:09:19 CST , Remote DoS in GFI MailEssentials due to a bug in Microsoft HTML parser at http://archives.neohapsis.com/archives/bugtraq/2005-01/0002.html.
  • GFi MailEssentials Web site, GFI MailEssentials for Exchange/SMTP at http://www.gfi.com/mes/.
  • BID-12148: GFI MailEssentials and MailSecurity HTML Email Remote Denial of Service Vulnerability
  • CVE-2004-1312: A bug in the HTML parser in a certain Microsoft HTML library, as used in various third party products, may allow remote attackers to cause a denial of service via certain strings, as reported in GFI MailEssentials for Exchange 9 and 10, and GFI MailSecurity for Exchange 8, which causes emails to remain in IIS or Exchange mail queues.
  • SA13708: GFI MailEssentials / MailSecurity Mail Processing Denial of Service

Reported:

Jan 03, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page