Possible Denial of Service with PHP and Cyrus IMAP on BSDi 4.2

From: Administrator (MG) (adminat_private)
Date: Wed Aug 29 2001 - 22:38:18 PDT

Next message: White Vampire: "Re: Kazaa and Morpehus Exploit (how to view their shared files)"

Previous message: Immunix Security Team: "[Immunix-announce] ImmunixOS 7.0 update for xinetd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use of the php IMAP functions on BSDi webserver with Apache against a cyrus
server on BSDi 4.2 will eventually cause the mail server to hang, forcing a
hard reboot.

A BSDi 4.2 Cyrus server could be remotely DOS'd if external IMAP access is
available.

This has been experienced running IMP and Jawmail, two popular OSS webmail
packages which do not exhibit this behavior on other platforms.

This has been tested with the php compiled against c-client versions 2000
and 4.7, and with Cyrus 2.0.15 and 2.0.16 as the mail server.

The cyrus sever does not exhibit this behavior with regular mail clients.

It has also been tested with php 4.0.4pl1 and php 4.0.6

At this time, I am unable to determine if the issue is with the c-client or
with PHP.

M. Gamble
Echo Online Administration

Next message: White Vampire: "Re: Kazaa and Morpehus Exploit (how to view their shared files)"
Previous message: Immunix Security Team: "[Immunix-announce] ImmunixOS 7.0 update for xinetd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 07:31:52 PDT