A vulnerability in Timbuktu Pro 2.0b650 allows an attacker to cause a denial of service by connecting and disconnecting to port TCP/407 and port TCP/1417. To return to normal functionality, the Timbuktu process will need to be killed and the Timbuktu service is required to be stopped and restarted.
A potential denial of service (hence forth referred to as DoS) attack exists in the default configuration of many popular DNS servers. If a server allows for remote hosts to query it for hosts other than those it serves, causing recursion, it may be possible to cause traffic amplification. While the numbers of packets amplified by a single server will not be likely to cause a denial of service, by exploiting the hierarchical nature of DNS, it becomes possible to cause large amounts of traffic to be directed to a single site. The vulnerability exists in the way name servers will behave in the event that they are unable to receive replies for a domain from a nameserver they consider authoritative. When a nameserver receives a query, it is typically forwarded up a chain of DNS server. If the query cannot be resolved because there is no nameserver listening on the remote host, every forwarding nameserver will attempt to resolve the nameserver themselves. These are typically retried three times, at 0, 12 and 24 seconds. In this case, the traffic is significantly multiplied. By abusing multiple nameservers, it becomes possible to send a large quantity of data to a given network, with packet sizes as large as 500 bytes.
Submitting a RETR command with a message ID argument longer than 10 numeric characters will result in a crash of the Internet Anywhere Mail Server. A Doctor Watson error message will appear reporting an access violation by MailServer.exe. Restarting the mail server will resume functionality. This denial of service attack does not affect other running programs, and requires the attacker to have a valid username and password on the POP3 server.
The CS Audit Trail Proxy feature installed by default with BorederManager 3.0 and 3.5 opens a listening port at port 2000, on both the internal and external interfaces. If a connection is made to this port and the 'enter' key hit a few times, the server will start experincing memory allocation problems. Eventually the server will have to be rebooted to restore normal functionality.
By requesting a long URL from a Novell Groupwise 5.5 webserver with the Enhancement Pack installed, it is possible to cause the server to abend, the Java.nlm to take up all available CPU resource, or to stop the post office service.
The Windows API that handles shortcut navigation is susceptible to buffer overflow attacks. The API, 'SHGetPathFromIDList' will parse a shortcut file (.lnk) to find the target file, directory or URL. A specifically malformed link will cause any program using the API to follow that shortcut to crash.
idq.dll is vulnerable to a directory traversal attack, allowing an attacker to gain read access to any file on the same logical drive as the web server virtual root. The attacker has to know the physical path and filename of the requested file, and the ACL for the file must specify read access for either the anonymous user or the Everyone or Guest group. idq.dll will follow the '../' string in the specification of a template file. Any file can be specified as the template file. Although some IDQ files append the '.htx' extension to the user's input, it is possible to circumvent this by appending several spaces to the end of the requested filename, eg: 'desiredfile.txt%20%20%20...%20%20.htx'. The webhits.dll patch may in some cases affect the nature of this vulnerability.
WWWThreads is a web bulletin board program that uses an SQL backend. Due to incomplete input validation, it is possible for an attacker to submit SQL commands through forms and manipulate the contents of the database to gain administrator privileges over the database. There are various ways for a program to ensure that all entries into data fields are interpreted as data and not SQL commands. WWWThreads uses the quote() function to do this on string values, but fails to verify numeric values in a similar manner. Therefore, SQL commands can be passed to WWWThreads via any numeric argument. These commands can be used to update the status of any user to Administrator and change their security level to '100' (the same level as the Administrator).
Due to improper bounds checking in the code that handles MKD and CWD commands, it is possible to remotely crash the server by submitting extremely long pathnames as arguments to either command.
Microsoft Outlook Express 5, and possibly other email clients that parse HTML messages, can be made to run Active Scripting that will read any new messages that arrive after the hostile code has been run. The exploit code uses a window.open() function to open a new window with a javascript alert that will display the contents of the message body.
Services By CQR