lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3EF0B2E0.2020306@connectalk.com>
Date: Wed, 18 Jun 2003 14:43:44 -0400
From: "Marc Lafortune" <mlafortune@...nectalk.com>
To: qpopper-bugs@...lcomm.com, bugtraq@...urityfocus.com
Subject: ConnecTalk Security Advisory: Qpopper leaks information during authentication


=============================================================================
ConnecTalk Inc.               Security Advisory

Topic:          Qpopper leaks information during authentication

Vendor: Eudora
Product: qpopper 4.0.4 and qpopper 4.0.5
Note: other versions have not been tested.
Problem found: May 14, 2003
Vendor notification: May 14, 2003
Second vendor notification: May 21, 2003
Public notification: June 18, 2003

I.   Background

Qpopper is the most widely-used server for the POP3 protocol (this
allows users to access their mail using any POP3 client).  Qpopper
supports the latest standards, and includes a large number of optional
features.  Qpopper is normally used with standard UNIX mail transfer and
delivery agents such as sendmail or smail.

II.  Problem Description

When Qpopper is in the authentication phase, using plain text passwords,
the response to the PASS command differs depending on the existance of
the USER.  If a valid username and a wrong password are given, Qpopper
returns a negative reponse and waits for one more command before closing
the connection.  If an invalid username and password are given, Qpopper
returns a negative response and disconnects right away.

III. Impact

A remote attacker can use this information leak to validate the
existance of a user account.


-- 
Marc Lafortune
mlafortune@...nectalk.com
Intégrateur / Integrator
ConnecTalk Inc.
http://www.connectalk.com






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ