Published:2007/03/26  Last Updated:2016/10/13

BASP21 vulnerable in handling CRLF sequences


BASP21 provided by B21Soft, Inc. is a component for Windows applications. BASP21 contains a vulnerability which may allow a remote attacker to inject an arbitrary header into an email message by Carriage Return / Line Feed (CRLF) sequences in a subject line or to send an unauthorized email to the third parties.

Products Affected

  • bsmtp.dll included in BASP21 2003.0211
  • Versions of BASP21 Pro earlier than 1,0,702,27



An unauthenticated remote attacker may send an unintended email from a web application which its email function is implemented using BASP21.


Vendor Status


JPCERT/CC Addendum

The original fix for this vulnerability was insufficient. An updated version of the software, which completely addressed this vulnerability has been released by the developer. Please see JVN#70380788 for more information.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.03.26

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Low-Mid

Description of each analysis measures


Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2007-1713
JVN iPedia JVNDB-2007-000226

Update History

"JPCERT/CC Addendum" and "Other Information" were updated. The subject, "Overview", "Impact", and "Vulnerability Analysis by JPCERT/CC" were modified.