Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely.

New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue. See the details below for more information. Also, new Pine packages are provided since these are built together... why not? Might as well upgrade that too, while I'm fixing the fake security problem. :-)

Updated libc-client packages that fix a buffer overflow issue are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

C-client is a common API for accessing mailboxes.

A buffer overflow flaw was discovered in the way C-client parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue.

All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue.

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996)

The html_entity_decode() PHP function was found to not be binary safe.
An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the 'html_entity_decode()' function with untrusted input from the user and displayed the result. (CVE-2006-1490)

The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208)

An input validation error was found in the 'mb_send_mail()' function.
An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the 'mb_send_mail()' function where the 'To' parameter can be controlled by the attacker. (CVE-2005-3883)

A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933).

Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.

An updated imap package that fixes a buffer overflow issue is now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols.

A buffer overflow flaw was discovered in the way the c-client library parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue.

All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996)

The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208)

A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. (CVE-2005-2933)

The wordwrap() PHP function did not properly check for integer overflow in the handling of the 'break' parameter. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow. (CVE-2006-1990)

Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.

FrSIRT reports :

A vulnerability has been identified in UW-IMAP, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a stack overflow error in the 'mail_valid_net_parse_work()' [src/c-client/mail.c] function that does not properly handle specially crafted mailbox names containing a quote (') character, which could be exploited by authenticated remote attackers to execute arbitrary commands with the privileges of the IMAP server.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2006:0276 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache     HTTP Web server.

    The phpinfo() PHP function did not properly sanitize long strings.  An     attacker could use this to perform cross-site scripting attacks against     sites that have publicly-available PHP scripts that call phpinfo().
    (CVE-2006-0996)

    The html_entity_decode() PHP function was found to not be binary safe. An     attacker could use this flaw to disclose a certain part of the memory.  In     order for this issue to be exploitable the target site would need to have a     PHP script which called the html_entity_decode() function with untrusted     input from the user and displayed the result.  (CVE-2006-1490)

    The error handling output was found to not properly escape HTML output in     certain cases.  An attacker could use this flaw to perform cross-site     scripting attacks against sites where both display_errors and html_errors     are enabled.  (CVE-2006-0208)

    An input validation error was found in the mb_send_mail() function.  An     attacker could use this flaw to inject arbitrary headers in a mail sent via     a script calling the mb_send_mail() function where the To parameter can     be controlled by the attacker.  (CVE-2005-3883)

    A buffer overflow flaw was discovered in uw-imap, the University of     Washington's IMAP Server.  php-imap is compiled against the static c-client     libraries from imap and therefore needed to be recompiled against the fixed     version.  This issue only affected Red Hat Enterprise Linux 3.
    (CVE-2005-2933).

    Users of PHP should upgrade to these updated packages, which contain     backported patches that resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

'infamous41md' discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.

php-imap is compiled against the static c-client libs from imap. These packages have been recompiled against the updated imap development packages.

'infamous41md' discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.

The updated packages have been patched to address this issue.

The remote host is affected by the vulnerability described in GLSA-200510-10 (uw-imap: Remote buffer overflow)

    Improper bounds checking of user-supplied data while parsing IMAP     mailbox names can lead to overflowing the stack buffer.
  Impact :

    Successful exploitation requires an authenticated IMAP user to     request a malformed mailbox name. This can lead to execution of     arbitrary code with the permissions of the IMAP server.
  Workaround :

    There are no known workarounds at this time.

'infamous41md' discovered a buffer overflow in uw-imap, the University of Washington's IMAP Server that allows attackers to execute arbitrary code.

The remote host appears to be running a version of the University of Washington's IMAP daemon that is prone to a buffer overflow vulnerability involving long mailbox names that begin with a double-quote character.  An authenticated attacker may be able to exploit this to execute arbitrary code subject to the privileges of the user.

There is a flaw in the remote UW-IMAP server that allows an authenticated user to execute arbitrary code on the server.  The flaw is in the way that UW-IMAP handles quoted mailbox names.  Specifically, an attacker supplying a long mailbox name which only contained one '"' would be able to overwrite memory and execute arbitrary code.

ID	Name	Product	Family	Severity
54865	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : imapd (SSA:2005-310-06)	Nessus	Slackware Local Security Checks	high
21969	CentOS 4 : libc-client (CESA-2005:848)	Nessus	CentOS Local Security Checks	high
21897	CentOS 3 / 4 : php (CESA-2006:0276)	Nessus	CentOS Local Security Checks	high
21875	CentOS 3 : imap (CESA-2005:850)	Nessus	CentOS Local Security Checks	high
21594	RHEL 2.1 : php (RHSA-2006:0501)	Nessus	Red Hat Local Security Checks	high
21396	FreeBSD : imap-uw -- mailbox name handling remote buffer vulnerability (1f6e2ade-35c2-11da-811d-0050bf27ba24)	Nessus	FreeBSD Local Security Checks	high
21287	RHEL 4 : php (RHSA-2006:0276)	Nessus	Red Hat Local Security Checks	medium
20270	RHEL 2.1 / 3 : imap (RHSA-2005:850)	Nessus	Red Hat Local Security Checks	high
20269	RHEL 4 : libc-client (RHSA-2005:848)	Nessus	Red Hat Local Security Checks	high
20122	Mandrake Linux Security Advisory : php-imap (MDKSA-2005:194)	Nessus	Mandriva Local Security Checks	high
20119	Mandrake Linux Security Advisory : imap (MDKSA-2005:189)	Nessus	Mandriva Local Security Checks	high
20030	GLSA-200510-10 : uw-imap: Remote buffer overflow	Nessus	Gentoo Local Security Checks	high
19969	Debian DSA-861-1 : uw-imap - buffer overflow	Nessus	Debian Local Security Checks	high
19938	UW-IMAP Mailbox Name Buffer Overflow	Nessus	Gain a shell remotely	medium
3251	UW-IMAP Quote String Buffer Overflow	Nessus Network Monitor	IMAP Servers	medium

Detections

Analytics

CVE-2005-2933

critical

Tenable Plugins

high

high

high

high

high

high

medium

high

high

high

high

high

high

medium

medium