lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3EF1C1D2.1020505@connectalk.com>
Date: Thu, 19 Jun 2003 09:59:46 -0400
From: "Marc Lafortune" <mlafortune@...nectalk.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: ConnecTalk Security Advisory: Qpopper leaks information during
 authentication ** Forget this one... **


This information was previously discovered and announced by Dennis 
Lubert (plasmahhinformatik.uni-bremen.de).

see http://archives.neohapsis.com/archives/bugtraq/2003-03/0227.html for 
original advisory.


Marc Lafortune wrote:
> ============================================================================= 
> 
> ConnecTalk Inc.               Security Advisory
> 
> Topic:          Qpopper leaks information during authentication
> 
> Vendor: Eudora
> Product: qpopper 4.0.4 and qpopper 4.0.5
> Note: other versions have not been tested.
> Problem found: May 14, 2003
> Vendor notification: May 14, 2003
> Second vendor notification: May 21, 2003
> Public notification: June 18, 2003
> 
> I.   Background
> 
> Qpopper is the most widely-used server for the POP3 protocol (this
> allows users to access their mail using any POP3 client).  Qpopper
> supports the latest standards, and includes a large number of optional
> features.  Qpopper is normally used with standard UNIX mail transfer and
> delivery agents such as sendmail or smail.
> 
> II.  Problem Description
> 
> When Qpopper is in the authentication phase, using plain text passwords,
> the response to the PASS command differs depending on the existance of
> the USER.  If a valid username and a wrong password are given, Qpopper
> returns a negative reponse and waits for one more command before closing
> the connection.  If an invalid username and password are given, Qpopper
> returns a negative response and disconnects right away.
> 
> III. Impact
> 
> A remote attacker can use this information leak to validate the
> existance of a user account.
> 
> 


-- 
Marc Lafortune
Intégrateur / Integrator
ConnecTalk Inc.
http://www.connectalk.com
tel: 514.856.3060

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ