Alt-N's WorldClient is an email webserver that allows its users to retrieve email via HTTP. It is susceptible to denial of service attacks due to an unchecked buffer in the request handler. By supplying a long URL to the server, it can be crashed.
The Mdaemon mail server for Windows includes a small web server for web-based remote administration. This webserver is vulnerable due to an unchecked buffer that handles incoming GET requests. An abnormally large URL sent to the WebConfig service at port 2002 will crash the service.
A vulnerability in the method IE5 uses to process XML data may allow a malicious web site owner to read files on a visiting user's computer. A web page may be created that contains an XML object type that contains instructions to read known files on a visitor's local host (and or domain). The IE5 client will allow the XML redirect to access files within its own domain. Note that if this vulnerability is exploited for IE5 for Unix, the only reported result is that the application will suffer an 'Internal Error' and crash.
The ZetaMail mail server will crash if a username/password pair longer than 3500 characters is supplied by the client.
Riched20.dll and Riched32.dll, which Windows uses to parse Rich Text Forrmat files, have an unchecked buffer which allows arbitrary code to be executed. The code can be put into an .rtf file and emailed to the victim. Then if the victim opens the document, the code will be run at the same privilege level as the user. It has been reported on the Bugtraq mailing list that the patch provided by Microsoft does not completely fix the problem. A .rtf file with 1000 characters (instead of the original 32) will still crash the application reading the .rtf file.
Certain versions of the Tektronix PhaserLink printer ship with a webserver designed to help facilitate configuration of the device. This service is essentially administrator level access as it can completely modify the system characteristics, restart the machine, assign services etc. In at least one version of this printer, there are a series of undocumented URL's which will allow remote users to retrieve the administrator password. Once the password is obtained by the user, they can manipulate the printer in any way they see fit.
Certain versions of the W4-Server 32-bits personal webserver by Antelope Software ship with a flawed script, Cgitest.exe. This compiled CGI script fails to perform bounds checking on user supplied data and is vulnerable to a buffer overflow.
The G6 FTP Server, by Gene6, is vulnerable to a buffer overflow attack. If 2000 characters are sent as the username or password, the software will use up all available memory and CPU time and bring the host to a halt.
FormHandler.cgi is a CGI script used to process HTML forms. It is typically run as user 'nobody' on Unix systems. An attacker can gain access to sensitive files such as /etc/passwd simply by modifying the form document. This is possible because the FormHandler.cgi script has read access to any file specified as an attachment in a reply email. The attacker can also download the /etc/passwd file by adding a hidden input field to the form with the value “text:/tmp/../etc/passwd”.
The FTP server that ships with QPC's QVT line of products is vulnerable to a denial of service attack. The FTP server has an unchecked buffer in the logon function. If a username/password pair is specified that is longer than 2000 characters combined, the server will drop the connection with an 'authentication failed' message. The next time someone tries to connect, the server will crash.
Services By CQR