Home > CAPEC List > CAPEC-183: IMAP/SMTP Command Injection (Version 2.11)  

CAPEC-183: IMAP/SMTP Command Injection

IMAP/SMTP Command Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 183
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

+ Attack Prerequisites
  • The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.

  • The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.

  • The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.

+ Typical Severity


+ Resources Required

None: No specialized resources are required to execute this type of attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.

+ References
[R.183.1] [REF-4] "OWASP Testing Guide". Testing for IMAP/SMTP Injection (OWASP-DV-011). v4 [DRAFT]. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OWASP-DV-011)>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017