Bugtraq mailing list archives
RE: MDaemon SMTP/POP/IMAP server DoS
From: "Basil Hussain" <basil.hussain () kodakweddings com>
Date: Wed, 30 Oct 2002 10:10:02 -0000
The website still offers 6.0.7 (vulnerable) version for download, So apparently no workaround exists except for shutting it down until the patch or newer version is available.
I got this in response to my enquiry with AltN about a fix for the problem:
This has been fixed in 6.5 which will be released later today. If you are under valid upgrade protection you should get it for free.
I have just installed and tested 6.5 and it appears not to be vulnerable: +OK somedomain.com POP MDaemon 6.5.0 ready <MDAEMON-F200210300930.AA305746MD1473 () somedomain com> user blah +OK blah... Recipient ok pass 123456 +OK blah () somedomain com's mailbox has 11 total messages (33599 octets). uidl 2147483648 +OK 1 MD50000008792:MSG:1168:29523767:3598244718 [...] 11 MD50000008802:MSG:4200:29523957:978208478 . uidl 2147483649 +OK 1 MD50000008792:MSG:1168:29523767:3598244718 [...] 11 MD50000008802:MSG:4200:29523957:978208478 . uidl 123456789012345678901234567890 -ERR no such message quit +OK blah () somedomain com somedomain.com POP Server signing off (11 messages left) Note that for large integers it just returns from the UIDL command as if no argument were passed at all, but for even larger strings of digits, it errors that no such message exists. Basil Hussain
Current thread:
- MDaemon SMTP/POP/IMAP server DoS D4rkGr3y (Oct 28)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Robert Feldbauer (Oct 29)
- <Possible follow-ups>
- Re: MDaemon SMTP/POP/IMAP server DoS Muhammad Faisal Rauf Danka (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 30)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)