CVE-2006-0447

Name of the Vulnerable Software and Affected Versions E-Post Mail Server version 4.10 SPA-PRO Mail @Solomon version 4.00

Description The issue allows remote attackers to execute arbitrary code via a long username to the "AUTH PLAIN" or "AUTH LOGIN" SMTP commands, which is not properly handled by the EPSTRS.EXE or SPA-RS.EXE executables. Additionally, a long username in the APOP POP3 command can be exploited due to improper handling by EPSTPOP4S.EXE or SPA-POP3S.EXE. A long IMAP DELETE command is also vulnerable due to improper handling by EPSTIMAP4S.EXE or SPA-IMAP4S.EXE.

Recommendations For E-Post Mail Server version 4.10, consider disabling the AUTH PLAIN and AUTH LOGIN SMTP commands until a patch is available. For SPA-PRO Mail @Solomon version 4.00, restrict access to the APOP POP3 command to minimize the risk of exploitation. As a temporary workaround, consider disabling the IMAP DELETE command for both E-Post Mail Server and SPA-PRO Mail @Solomon until a patch is available.