COMMAND
Inframail
SYSTEMS AFFECTED
Inframail 3.97a and prior
PROBLEM
Following is based on a Strumpf Noir Society Advisories.
Inframail is an advanced SMTP, POP, HTTP and FTP server solution
available in 3 editions (Home, Small Business and Advantage) for
MS Windows 9x/NT/2k and Linux.
There exists a paring problem in the handling of 302 pages by the
server serving both the webpages and the administration interface
for the members of the Inframail product family.
This allows for a DoS against the system through a malformed POST
request consisting of a space followed by a long string (276 bytes
or more) of characters. The running services will freeze and the
program will need to be restarted to regain full functionality.
DoS example on the default HTTP port (80):
# telnet victim 80
POST / Ax276 bytes/ HTTP/1.1
after which the running services freeze. The same effect can be
witnessed when running above on the administration port (default
81).
This was tested against Inframail v3.97a running on MS Windows NT.
SOLUTION
Vendor has been notified and has corrected this issue. A new
release (v3.98a) of this product has been made available from the
vendor's website.