Ipswitch IMail versions 8.15 and 8.2 with hotfix 1 and prior contain multiple vulnerabilities that could allow a remote attacker to create a denial of service (DoS) condition and read arbitrary files.
The first vulnerability (CAN-2005-1249) is the result of insufficient bounds checks. An authenticated remote attacker could exploit this vulnerability by submitting a malformed LSUB command. Exploitation allows the attacker to consume excessive system resources, resulting in a DoS condition.
The second vulnerability (CAN-2005-1254) allows an authenticated remote attacker to conduct a buffer overflow attack. To exploit this vulnerability, the attacker
can submit an overly long argument to the SELECT command. Exploitation allows the attacker to crash the IMAP service.
The third vulnerability (CAN-2005-1255) is the result of insufficient bounds checks in the LOGIN command. An unauthenticated attacker can submit an overly long username designed to trigger a buffer overflow. This could allow the attacker to execute arbitrary code.
The fourth vulnerability (CAN-2005-1255) also exists due to improper checking of the username argument of the LOGIN command. An unauthenticated attacker can submit a long username that contains special
characters to cause an exploitable stack based buffer overflow and execute arbitrary code.
The fifth vulnerability (CAN-2005-1256) exists in the STATUS command. An authenticated remote attacker could submit a malformed argument to the command and trigger a buffer overflow. This allows an attacker to execute arbitrary code with system level privileges.
The sixth vulnerability (CAN-2005-1252) allows an attacker to conduct a directory traversal attack due to insufficient validation of user-supplied input passed to the Web Calendaring module. A remote attacker could exploit this vulnerability to read arbitrary
Exploit code is available for the third vulnerability.
A hotfix is available.