October 30, 2003 - There have been two recent reports from independent organizations that there are security issues in FirstClass Servers. Because many administrators are receiving inquiries from their users, here is additional information about these issues.
A vulnerability has been identified in the FirstClass Internet Services, which can be exploited by malicious people to cause a DoS (Denial of Service) and maybe compromise a vulnerable system.
The vulnerability is caused due to a boundary error in "fcintsrv.exe" when handling HTTP requests. This can be exploited by sending a specially crafted request, which causes a heap overflow.
The original report is posted on the I2S-Labs website and repeated at the Secunia.com website.
This vulnerability has been fixed in Service Pack 5 and is no longer an issue for sites that are up-to-date with Service Packs.
Even without the Service Pack, this vulnerability is unlikely to compromise a FirstClass system, but could crash the Internet Services program. In FirstClass the client connection to the server is controlled by the FirstClass program itself and not the OS as in many programs. If an attack managed to crash the Internet Services program, the connection would immediately be dropped. This is a common attack mode on FTP servers where crashing them could drop you into an interactive terminal session to the OS itself. FirstClass is inherently invulnerable to attacks that attempt to crash the FirstClass programs to gain access.
A vulnerability has been identified in FirstClass allowing malicious people to see the content of the web root.
The problem is that FirstClass allows anyone to append "/Search" to the URL and by selecting all check boxes and searching for an empty string, all files in the web root and sub folders are listed.
The original report is posted at the Secunia.com website.
This is not considered a serious problem. The files that can be displayed this way are the files that are in the WWW folder, nothing from anywhere else.
The items that are in the WWW folder are the web pages, web templates, web help files AND any publicly served conferences. These items are intended to be public anyway so there shouldn't be any problem.
There might be problems if you had some private conference aliases there that shouldn't be or if you had hidden conferences or web pages supposed to be secret (not in any clickable path).
If you wish to turn off the search capability for ALL unauthenticated users, then turn off the "Search" Privilege on the "Unauthenticated Users" group. A restart of IS is required. Users would then be asked to login to complete a search or receive a 1030 (not allowed) error. No account, no login allowed, no search.
You can also read a response from Graham Morley, one of the FirstClass developers on the Internet Services team here.
FirstClass continues to be a secure and reliable email and collaboration system. Go to the Secunia Advisories page and look at the number of reports for other mail systems.
News Service © 2003 Acorn MicroSolutions Inc.
FirstClass logos and original content © 2003 Open Text Corporation