Stack-Based Buffer Overflow in NetWin SurgeMail Affected by Improper Handling of Multipronged HTTP Requests
CVE-2008-1054

Currently unrated

Key Information:

Vendor

Netwin

Status
Surgemail
Vendor
CVE Published:
27 February 2008

What is CVE-2008-1054?

A stack-based buffer overflow exists in the _lib_spawn_user_getpid function within swatch.exe and surgemail.exe of NetWin SurgeMail versions 38k4 and earlier, as well as beta 39a. This vulnerability allows remote attackers to exploit the system by sending specially crafted HTTP requests containing excessively long headers to webmail.exe and potentially other CGI executables. This exploitation leads to environment variable overflow, causing the backend daemon to crash and possibly enabling the execution of arbitrary code, posing significant security risks.

References

http://securityreason.com/securityalert/3705
third-party-advisoryx_refsource_SREASON
http://aluigi.altervista.org/adv/surgemailz-adv.txt
x_refsource_MISC
http://secunia.com/advisories/29105
third-party-advisoryx_refsource_SECUNIA

EPSS Score

22% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.