Home > CAPEC List > CAPEC-183: IMAP/SMTP Command Injection (Version 2.4)  

CAPEC-183: IMAP/SMTP Command Injection

 
IMAP/SMTP Command Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 183
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

+ Attack Prerequisites
  • The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.

  • The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.

  • The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for this attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.

+ References
[R.183.1] [REF-4] "OWASP Testing Guide". Testing for IMAP/SMTP Injection (OWASP-DV-011). v4 [DRAFT]. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OWASP-DV-011)>.
+ Content History
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Description SummaryInternal

Page Last Updated: April 10, 2014