OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Casper Aleva (tonus_at_dsinet.org)
Date: Sun Dec 29 2002 - 19:30:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    DSINet Security Advisory DSINET-SA-02-01
    http://www.dsinet.org/textfiles/advisories/dsinet/dsinet-sa-02-01.txt

    Potential DOS attack with Web-CyrAdm

    Program: Web-CyrAdm
    Credits: Remko Lodder ( remkodsinet.org - http://www.dsinet.org/ )
    Vendor: Luc de Louw ( luc at delouw.ch - http://www.web-cyradm.org/ )
    Affected versions: Version 0.5.2 and older.
    Non-affected versions: CVS snapshot as of 12-12-2002.

    - - Synopsis
    The Package Web-CyrAdm, used for administring Cyrus IMAP deamons,
    has a potential DoS attack.

    - - Problem description
    When the IMAP daemon is not running a DoS situation can
    occur when someone logs into the web-cyradm package.
    The problem rises when someone selects a domain and wants to administer
    his / her user accounts.
    What happens?
    At this point there is no check that looks if IMAP is running or not.
    Without this check the program goes into a infinite loop complaining
    about valid file handlers.

    - - Impact
    This problem can increase the total datastream to 10mb+ in a matter of
    seconds.
    This also causes the host to stop responding to other requests, including
    those coming from localhost.
    In some cases it takes down the entire system as a result of heavy CPU
    utilization.

    Remko notified luc at delouw.ch immediatly by creating a bugzilla bug
    thread. Luc responded quickly and updated the CVS right away.

    - - Solution
    The solution is a check which looks wether the IMAP daemon runs or not.

            $cyr_conn = new cyradm;

           $error=$cyr_conn -> imap_login();

           if ($error!=0){
                   die ("Error $error");
           }
    This is the given solution and as far as the vendor could see it worked.

    - - Affected files:
    browseaccounts.php
    deleteaccount.php
    newaccount.php

    - - Actions to be taken by users
    Users using Web-CyrAdm are advised to upgrade to the latest version which
    can be found in the CVS.

    - - Credits
    Thanks go out to:

    Remko Lodder (remkodsinet.org) for tracing this bug,
    Luc de Louw (luc at delouw.ch) for patching it.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (FreeBSD)

    iD8DBQE+D6GtXB/SQMVhvpIRAv9DAJ4pts0itzID6S/uZPov7ni4ic0WngCg0Whg
    ZYru8RktjGjgSJDFZBwQ3AI=
    =D/MB
    -----END PGP SIGNATURE-----