Vulnerabilities > CVE-2006-0504 - Unspecified vulnerability in Mailenable Enterprise

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
mailenable
nessus

Summary

Unspecified vulnerability in MailEnable Enterprise Edition before 1.2 allows remote attackers to cause a denial of service (CPU utilization) by viewing "formatted quoted-printable emails" via webmail.

Nessus

NASL familyWindows
NASL idMAILENABLE_HTTPMAIL_QP_DOS.NASL
descriptionThe remote host is running MailEnable, a commercial mail server for Windows. According to its banner, using the webmail service bundled with the version of MailEnable Enterprise Edition on the remote host to view specially-formatted quoted-printable messages reportedly may result in 100% CPU utilization.
last seen2020-06-01
modified2020-06-02
plugin id20866
published2006-02-09
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20866
titleMailEnable Webmail Malformed Quoted-printable Email DoS (CVE-2006-0504)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20866);
  script_version("1.18");
  script_cvs_date("Date: 2018/07/14  1:59:37");

  script_cve_id("CVE-2006-0504");
  script_bugtraq_id(16525);

  script_name(english:"MailEnable Webmail Malformed Quoted-printable Email DoS (CVE-2006-0504)");
  script_summary(english:"Checks for quoted-printable message denial of service vulnerability in MailEnable Webmail");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a denial of service issue." );
  script_set_attribute(attribute:"description", value:
"The remote host is running MailEnable, a commercial mail server for
Windows. 

According to its banner, using the webmail service bundled with the
version of MailEnable Enterprise Edition on the remote host to view
specially-formatted quoted-printable messages reportedly may result in
100% CPU utilization." );
  script_set_attribute(attribute:"see_also", value:"http://www.mailenable.com/enterprisehistory.asp" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to MailEnable Enterprise Edition 1.2 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/09");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/01");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mailenable:mailenable");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("smtpserver_detect.nasl", "http_version.nasl");
  script_require_ports("Services/smtp", 25, "Services/www", 8080);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("smtp_func.inc");


port = get_http_port(default:8080, embedded: 1);

# Make sure banner's from MailEnable.
banner = get_http_banner(port:port);
if (!banner) exit(1, "No HTTP banner on port "+port);
if (!egrep(pattern:"^Server: .*MailEnable", string:banner)) exit(0, "MailEnable is not running on port "+port);


# Check the version number from the SMTP server's banner.
smtp_port = get_kb_item("Services/smtp");
if (!smtp_port) smtp_port = 25;
if (!get_port_state(smtp_port)) exit(0, "Port "+smtp_port+" is closed");
if (get_kb_item('SMTP/'+smtp_port+'/broken')) exit(0, "MTA on port "+smtp_port+" is broken");

banner = get_smtp_banner(port:smtp_port);
if (! banner) exit(1, "No SMTP banner on port "+smtp_port);
if (banner !~ "Mail(Enable| Enable SMTP) Service") exit(0, "MailEnable is not running on port "+smtp_port);

  # nb: Standard Edition seems to format version as "1.71--" (for 1.71),
  #     Professional Edition formats it like "0-1.2-" (for 1.2), and
  #     Enterprise Edition formats it like "0--1.1" (for 1.1).
  ver = eregmatch(pattern:"Version: (0-+)?([0-9][^- ]+)-*", string:banner);
  if (!isnull(ver)) {
    if (ver[1] == NULL) edition = "Standard";
    else if (ver[1] == "0-") edition = "Professional";
    else if (ver[1] == "0--") edition = "Enterprise";
  }
  if (isnull(ver) || isnull(edition)) {
    exit(1, "cannot determine edition of MailEnable's SMTP connector service");
  }
  ver = ver[2];

  # nb: Enterprise Edition versions < 1.2 are vulnerable.
  if (edition == "Enterprise" && ver =~ "^1\.[0-1]([^0-9]|$)") {
    security_warning(port);
  }