Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20332
HistoryAug 12, 2008 - 12:00 a.m.

[AJECT] hMailServer 4.4.1 DoS vulnerability

2008-08-1200:00:00
vulners.com
20
JSON

Synopsis

hMailServer is vulnerable to resource exhaustion attacks that can
cause a denial-of-service (DoS). The IMAP server crashes when
processing too many IMAP commands as it quickly exhaust its resources.

Product: hMailServer
Version: 4.4.1 and probably the older versions
Vendor: hMailServer (www.hmailserver.com)
Type: Denial-of-service (Resource Exhaustion)
Risk: service disruption
Remote: Yes
Discovered by: João Antunes (AJECT – Attack Injection Tool) on 05/Jun/
2008
Exploit: Not Available
Solution: upgrade to beta version 4.4.2 (Build 279)
Status: Developers were contacted and released a beta version
correcting the resource exhaustion vulnerability.

Vulnerability Description

The vulnerability can be triggered by sending many IMAP commands
repeatedly.
A01 CREATE AAAAA
A02 CREATE AAAAAA
A03 CREATE AAAAAAA

A97 RENAME AAAAA BBBBB
A98 RENAME AAAAAA BBBBBB
A100 RENAME AAAAAAA BBBBBBB

The number of IMAP commands to crash the server depends on the server
resources, but it should take over 20k messages to exhaust 256 MB RAM.
An authenticated client can write a script to overwhelm the server
with too many requests, eventually depleting all memory resources in
the server ,and thus successfully creating a DoS.

JSON