COMMAND

    InterChange

SYSTEMS AFFECTED

    InterChange

PROBLEM

    Following is based on a Strumpf Noir Society Advisories.  Infinite
    InterChange is a Win95/98/NT/2k mailserver for organizations  that
    need to expand their  network messaging. Infinite InterChange  has
    many  functions,  ranging  from  standalone mailserver to Internet
    gateway.

    One of Interchange's main features is a popular webmail interface.
    This interface and  it's supporting HTTP  server are subject  to a
    Denial of Service attack through a malformed POST request.

    The HTTP server  coming with InterChange  contains an overflow  in
    the POST  command.   Submitting a  specially crafted  POST request
    comprised of  963 bytes  or more  to the  server's HTTP  port will
    cause the program to crash.

    This can be as simple as:

        telnet victim 80
        POST aaa(963+ bytes) HTTP/1.0

    At which point the server-process will die.

SOLUTION

    Vendor  has  been  notified.   This  was  tested  against Infinite
    InterChange 3.61.  A fix  will be made availble from  the vendor's
    website.