[1077] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] pop3d minimal security bug

daemon@ATHENA.MIT.EDU (tHe CyberCOWz)
Mon Aug 26 07:25:25 1996

Date: Sun, 25 Aug 1996 17:55:31 +0100 (GMT+0100)
From: tHe CyberCOWz <hpfs@www.conmet.it>
To: linux-security@tarsier.cv.nrao.edu

Hello!

popd coming in all the linux distribution, in general, any pop coming 
with the MBOX ... command, contain a minimal unsecurity!
A privileged user like root can read the mailbox of another user simple 
by typing:

USER root
PASS *******
MBOX /var/spool/mail/<user name>

the major focus is for the server having only mailbox account. Suppose 
someone stole the root's password, even without login shell he can read 
any user's mailbox, from the net.

[REW: Or normal users having just an pop account could read (parts of)
publicly readable files. -- Just a little surprise to keep in mind if 
you ever need an airtight setup....]

Ciao!

home help back first fref pref prev next nref lref last post