< back to advisories
SurgeMail 3.7b8 Format String Vulnerability
Portcullis Security Advisory 06-060
SurgeMail is prone to a format string vulnerability.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out.
Credit For Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Version 3.7b8 Linux and maybe previous versions and on other platforms.
SurgeMail offers the ability to charge the recipients a fee for receiving
emails from certain addresses. As soon as such an email comes in, a
notification email containing the amount payable is composed and sent to the
user requesting payment. A user with the privileges allowing them to change
these amounts is then able to exploit a format string vulnerability, caused by
the abdiction of an explicit format string while using the amount value as
parameter in such a function. Furthermore, the amount value can consist of
An attacker could cause a Denial of Service or execute arbitrary code in the
context of the server.
The proof of concept exploit code is available.
Vendor notified. The vulnerability has been fixed.
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.