| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jun 2003 14:43:44 -0400 From: "Marc Lafortune" <mlafortune@...nectalk.com> To: qpopper-bugs@...lcomm.com, bugtraq@...urityfocus.com Subject: ConnecTalk Security Advisory: Qpopper leaks information during authentication ============================================================================= ConnecTalk Inc. Security Advisory Topic: Qpopper leaks information during authentication Vendor: Eudora Product: qpopper 4.0.4 and qpopper 4.0.5 Note: other versions have not been tested. Problem found: May 14, 2003 Vendor notification: May 14, 2003 Second vendor notification: May 21, 2003 Public notification: June 18, 2003 I. Background Qpopper is the most widely-used server for the POP3 protocol (this allows users to access their mail using any POP3 client). Qpopper supports the latest standards, and includes a large number of optional features. Qpopper is normally used with standard UNIX mail transfer and delivery agents such as sendmail or smail. II. Problem Description When Qpopper is in the authentication phase, using plain text passwords, the response to the PASS command differs depending on the existance of the USER. If a valid username and a wrong password are given, Qpopper returns a negative reponse and waits for one more command before closing the connection. If an invalid username and password are given, Qpopper returns a negative response and disconnects right away. III. Impact A remote attacker can use this information leak to validate the existance of a user account. -- Marc Lafortune mlafortune@...nectalk.com Intégrateur / Integrator ConnecTalk Inc. http://www.connectalk.com
Powered by blists - more mailing lists