Multiple Vulnerabilities in WebEasyMail for Windows

Reported August 20, 2002, by Stan Bubrouski.



·         WebEasyMail for Windows and earlier versions




Two vulnerabilities exist in WebEasyMail for Windows and earlier versions that can result in a Denial of Service (DoS) condition and information disclosure. The DoS condition results when an attacker sends specially crafted format strings as input, such as the “printf” family of functions, resulting in the service terminating without an error message. The information disclosure vulnerability lets an attacker obtain a valid username and password on the vulnerable system. By default, an attacker can make unlimited logon attempts without the server terminating the connection. If the attacker gives a wrong password, the server responds with "-ERR invalid username" if the user doesn't exist and responds with "-ERR wrong password for this user" if the user exists.




The discoverer posted the following scenarios as proof-of-concept:


For the DoS condition:


$ nc localhost 25

220 ESMTP on WebEasyMail \[\] ready.


502 Error: command not implemented


502 Error: command not implemented


502 Error: command not implemented


\[emsrv.exe silently dies here\]



For the information disclosure vulnerability:


OK POP3 on WebEasyMail \[\] ready.

user dog

+OK user accepted

pass dog

-ERR invalid username

user test

+OK user accepted

pass dog

-ERR wrong password for this user



The vendor, WebEasyMail, has been notified, but has not yet released a patch for this vulnerability.


Discovered by Stan Bubrouski.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.