JVN#86092776
BASP21 vulnerable in handling CRLF sequences
Overview
BASP21 provided by B21Soft, Inc. is a component for Windows applications. BASP21 contains a vulnerability which may allow a remote attacker to inject an arbitrary header into an email message by Carriage Return / Line Feed (CRLF) sequences in a subject line or to send an unauthorized email to the third parties.
Products Affected
- bsmtp.dll included in BASP21 2003.0211
- Versions of BASP21 Pro earlier than 1,0,702,27
Description
Impact
An unauthenticated remote attacker may send an unintended email from a web application which its email function is implemented using BASP21.
Solution
Vendor Status
References
JPCERT/CC Addendum
The original fix for this vulnerability was insufficient. An updated version of the software, which completely addressed this vulnerability has been released by the developer. Please see JVN#70380788 for more information.
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.03.26
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise) |
|
Credit
Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2007-1713 |
| JVN iPedia |
JVNDB-2007-000226 |
Update History
- 2016/10/13
- "JPCERT/CC Addendum" and "Other Information" were updated. The subject, "Overview", "Impact", and "Vulnerability Analysis by JPCERT/CC" were modified.