COMMAND

    Inframail

SYSTEMS AFFECTED

    Inframail 3.97a and prior

PROBLEM

    Following  is  based  on   a  Strumpf  Noir  Society   Advisories.
    Inframail is an advanced SMTP,  POP, HTTP and FTP server  solution
    available in 3 editions  (Home, Small Business and  Advantage) for
    MS Windows 9x/NT/2k and Linux.

    There exists a paring problem in the handling of 302 pages by  the
    server serving both the webpages and the administration  interface
    for the members of the Inframail product family.

    This allows for a DoS against the system through a malformed  POST
    request consisting of a space followed by a long string (276 bytes
    or more) of characters.  The running services will freeze and  the
    program will need to be restarted to regain full functionality.

    DoS example on the default HTTP port (80):

        # telnet victim 80
        POST / Ax276 bytes/ HTTP/1.1

    after which the running services  freeze.  The same effect  can be
    witnessed when running above  on the administration port  (default
    81).

    This was tested against Inframail v3.97a running on MS Windows NT.

SOLUTION

    Vendor has  been notified  and has  corrected this  issue.   A new
    release (v3.98a) of this product has been made available from  the
    vendor's website.