BaSoMail Server Denial of Service - Secunia Advisories - Vulnerability Intelligence

BaSoMail Server Denial of Service
Secunia Advisory:	SA8901	Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment
Release Date:	2003-05-30
Popularity:	5,305 views

Critical:	Moderately critical
Impact:	Exposure of sensitive information DoS
Where:	From remote
Solution Status:	Unpatched

Software:	BaSoMail Server 1.x

Subscribe:	Instant alerts on relevant vulnerabilities

Description: Three vulnerabilities have been identified in BaSoMail Server allowing local users to read usernames and passwords in clear text and malicious people to cause a Denial of Service. The file containing information about valid account names and passwords is stored in an insecure directory and all contents of the file is in clear text. This allows malicious local users to view the data. Malicious users may crash BaSoMail Server by authenticating with the POP3 service and supply negative values for "LIST" and "DELE" commands and then close the connection with a "QUIT". Malicious people may connect to the SMTP service and send more than 2100 characters as an argument to "HELO", "Mail From" or "Rcpt to", after doing this 7-8 times the BaSoMail Server will crash. Version 1.24 has been reported to be vulnerable. Solution: We are not aware of any updates. Do not allow untrusted users access to the local system. Disable accounts for users exploiting the POP3 vulnerability. Implement an application level proxy which can filter malicious SMTP requests. Provided and/or discovered by: Ziv Kamir

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released. Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Latest Advisories

Today

New advisories:	4
New vulnerabilities:	6
Updated advisories:	10

Moderately // 110 views

Ubuntu update for imagemagick

Moderately // 98 views

Ubuntu update for libvorbis

Less // 95 views

Debian update for phpmyadmin

Moderately // 185 views

ClamAV "cli_check_jpeg_expl oit()" Denial of Service Vulnerability

1st Dec, 2008

New advisories:	33
New vulnerabilities:	55
Updated advisories:	56

Moderately // 359 views

RakhiSoftware Shopping Cart Multiple Vulnerabilities

Moderately // 346 views

Lito Lite CMS "cid" SQL Injection Vulnerability

Moderately // 384 views

Basic PHP CMS "id" SQL Injection Vulnerability

Less // 661 views

Microsoft Office Communications Server SIP INVITE Denial of Service

Moderately // 344 views

Bluo CMS "id" SQL Injection Vulnerability

Moderately // 363 views

Active eWebquiz "useremail" and "password" SQL Injection Vulnerabilities

Solutions | More...

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.