Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Stan Bubrouski (stanccs.neu.edu)
Date: Sat Jun 01 2002 - 18:12:33 CDT
> Original version
> Title: Courier CPU exhaustion
> Author: ZARAZA <3APA3Asecurity.nnov.ru>
> Date: May, 31 2002
> Affected: courier-0.38.1
> Vendor: Double Precision, Inc.
> Risk: Low to average
> Remote: Yes
> Exploitable: Yes
> Vendor notified: May, 20 2002
> Product URL: http://www.courier-mta.org
> SECURITY.NNOV URL: http://www.security.nnov.ru
> Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055
> Courier is widely used suite of e-mail services written with security in
> A loop with unchecked iteration counter controlled by user input may
> cause courier to freeze for over the minute with 100% CPU usage on
> single command or message.
> unsigned day=0, mon=0, year;
> unsigned y;
> if (year < 1970) return (0);
> for (y=1970; y<year; y++) ...
> year may be any unsigned integer.
> Sam Varshavchik <mrsamcourier-mta.com> was contacted on May, 20.
> Problem was patched in CVS version on the same day.
> Bonus on imap-uw:
> Imap-uw allows user to access any file he could access locally. It's not
> a bug it's insecurity by design (it was not created with security in
> mind ;-). According FAQ from vendor's web site (it's not mentioned in a
> FAQ inside program distribution):
> 5.1 I see that the IMAP server allows access to arbitary files on the
> system, including /etc/passwd! How do I disable this?
This issue with uw-imapd has been known about for years and years and
years. I brought this up about two years ago and I noticed others had
as well. Changing one if statement in a source file fixes the behaviour
and yes it is a FEATURE not a BUG. I don't recall the exact location or
if statement to change but looking through uw-imapd archives is how I
found it out a couple years ago, and I recommend you do the same.