COMMAND

    dMailWeb and cwMail

SYSTEMS AFFECTED

    NetWin dMailWeb 2.6 amd prior

PROBLEM

    Chris Wolfe found following.  NetWin cwMail is also vulnerable  to
    the same attacks, and appears to be using exactly the same version
    numbers.

    dMailWeb is a CGI application used to provide web-based e-mail  in
    collaboration  with  a  standard  POP  server.   Authentication is
    performed  by  attempting  to  log  into  the requested POP server
    with the supplied username  password.  An optional  feature allows
    connection to POP server other  than the default (or to  a limited
    list of POP servers) - this  server can be specified on the  login
    page in the pophost field.

    Sending  long  values  as  the  username  (>= 240 chars, 239 works
    normally) will cause the script  to freeze (just over a  minute on
    the machines tested).   The pophost field  has a similar  problem,
    though it requires more characters to trigger (tested 512).

    An  extremely  long  pophost  (tested  1024)  causes the script to
    freeze and then crash (2.6j removed the delay but still  crashes).
    The DOS was tested using a  Perl script from a Linux P200.   After
    approximately  70  requests  in  45  seconds  the target machine's
    networking services  were completely  unavailable.   The script is
    trivial enough that I am not going to tidy it up to publish here.

    Tested target:

        - Linux 2.2.14 (Slackware 7), Pentium 200, 96 Mb RAM
        - Apache 1.3.12, dMail 2.7r (trial).
        - dMailWeb 2.5e, 2.6g, 2.6i, 2.6j (all trial versions)
          NetWin dMailWeb Demo server.

    The  freezes  were  tested  using  simple JavaScript URLs to enter
    long values in the fields.   After running one of the URLs  simple
    enter garbage in the remainder of the fields and press login.

        - username (>= 240 A's, all one line)
          javascript:document.loginform.user.value="AA...AA";
          alert(document.loginform.user.value);

        - pophost (tested 512 A's, all one line)
          javascript:document.loginform.pophost.value="AA...AA";
          alert(document.loginform.pophost.value);

SOLUTION

    Use the force_primary ini  directive to prevent the  pophost field
    from  being  processed.  Ensure  your  script  user  has processor
    limits set to prevent the entire server being disabled.  See:

        http://www.netwinsite.com/dmailweb/dmailweb.htm

    New versions of dMailWeb (and cwMail) can be downloaded from:

        ftp://ftp.netwinsite.com/dmailweb/

    As  of  Jun  21  the  partially  fixed  versions are still in Beta
    testing.  They can be downloaded from:

        ftp://ftp.netwinsite.com/dmailweb/beta/