MDaemon WorldClient Web services denial of service
| mdaemon-webservices-dos (6240) |  Medium Risk |
Description:
MDaemon is vulnerable to a denial of service attack, due to a vulnerability in the WorldClient service (port 3000) and the Webconfig service (port 3001). The WorldClient service allows access to email accounts through a Web browser. An attacker can send a specially-crafted URL request to the WorldClient or Webconfig service to cause Web services in MDaemon to crash. The service must be restarted from the MDaemon console in order to regain normal functionality.
Platforms Affected:
- Alt-N, MDaemon 3.5.6
Remedy:
Upgrade to the latest version of MDaemon (3.5.6 or later), available from the Mdaemon Web site. See References.
Consequences:
Denial of Service
References:
- Defcom Labs Advisory def-2001-11, MDaemon 3.5.4 Dos-Device DoS at http://archives.neohapsis.com/archives/bugtraq/2001-03/0188.html.
- MDaemon Web site, Download MDaemon at http://mdaemon.deerfield.com/download/getmdaemon.cfm.
- BID-2478: Alt-N WorldClient 2.2.2 DOS-Device Denial of Service Vulnerability
- CVE-2001-0583: Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a denial of service via the URL request of a MS-DOS device (such as GET /aux) to (1) the Worldclient service at port 3000, or (2) the Webconfig service at port 3001.
Reported:
Mar 15, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net