[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0306181608430.12303-100000@neo>
Date: Wed, 18 Jun 2003 16:09:15 -0400 (EDT)
From: Justin Wheeler <jwheeler@...ademons.com>
To: bugtraq@...urityfocus.com
Subject: Re: ConnecTalk Security Advisory: Qpopper leaks information during
authentication
This bug does not exist in QPopper 3.x, as it simply closes the connection
regardless of whether the username is valid or not.
Regards,
Justin Wheeler
--
Programmer - A red-eyed, mumbling mammal capable of conversing with inanimate objects.
On Wed, 18 Jun 2003, Marc Lafortune wrote:
> =============================================================================
> ConnecTalk Inc. Security Advisory
>
> Topic: Qpopper leaks information during authentication
>
> Vendor: Eudora
> Product: qpopper 4.0.4 and qpopper 4.0.5
> Note: other versions have not been tested.
> Problem found: May 14, 2003
> Vendor notification: May 14, 2003
> Second vendor notification: May 21, 2003
> Public notification: June 18, 2003
>
> I. Background
>
> Qpopper is the most widely-used server for the POP3 protocol (this
> allows users to access their mail using any POP3 client). Qpopper
> supports the latest standards, and includes a large number of optional
> features. Qpopper is normally used with standard UNIX mail transfer and
> delivery agents such as sendmail or smail.
>
> II. Problem Description
>
> When Qpopper is in the authentication phase, using plain text passwords,
> the response to the PASS command differs depending on the existance of
> the USER. If a valid username and a wrong password are given, Qpopper
> returns a negative reponse and waits for one more command before closing
> the connection. If an invalid username and password are given, Qpopper
> returns a negative response and disconnects right away.
>
> III. Impact
>
> A remote attacker can use this information leak to validate the
> existance of a user account.
>
>
> --
> Marc Lafortune
> mlafortune@...nectalk.com
> Intégrateur / Integrator
> ConnecTalk Inc.
> http://www.connectalk.com
>
>
>
>
>
Powered by blists - more mailing lists