TITLE: MailEnable Buffer Overflow and Directory Traversal Vulnerabilities SECUNIA ADVISORY ID: SA17633 VERIFY ADVISORY: http://secunia.com/advisories/17633/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: MailEnable Enterprise Edition 1.x http://secunia.com/product/4325/ MailEnable Professional 1.x http://secunia.com/product/3474/ DESCRIPTION: Secunia Research has discovered some vulnerabilities in Mail Enable Professional/Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service) and to compromise a vulnerable system. 1) A boundary error exists in the IMAP service (MEIMAPS.EXE) when handling an overly long mailbox name passed to "select", "create", "delete", "rename", "subscribe", and "unsubscribe" commands. This can be exploited by a malicious user to cause a stack-based buffer overflow and allows arbitrary code execution. 2) Directory traversal error exists in the IMAP service (MEIMAP.EXE) when handling specially crafted mailbox name passed to the "create" and "rename" commands. This can be exploited by a malicious user to create arbitrary directories on the server, or to cause a DoS by renaming the mail directories of other users. The vulnerabilities have been confirmed in the following versions: * MailEnable Professional version 1.6 with Hotfix MEIMAPS-UPD0511010000.zip applied. * MailEnable Enterprise version 1.1 with Hotfix MEIMAPS-UPD0511010000.zip applied. Prior versions may also be affected. SOLUTION: Apply cumulative update (ME-10008): http://www.mailenable.com/hotfix/ME-10008.EXE The vulnerabilities have also been fixed in MailEnable Professional Edition version 1.7. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: MailEnable: http://www.mailenable.com/hotfix/ Secunia Research: http://secunia.com/secunia_research/2005-59/advisory/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------