[1077] in linux-security and linux-alert archive
[linux-security] pop3d minimal security bug
daemon@ATHENA.MIT.EDU (tHe CyberCOWz)
Mon Aug 26 07:25:25 1996
Date: Sun, 25 Aug 1996 17:55:31 +0100 (GMT+0100)
From: tHe CyberCOWz <hpfs@www.conmet.it>
To: linux-security@tarsier.cv.nrao.edu
Hello!
popd coming in all the linux distribution, in general, any pop coming
with the MBOX ... command, contain a minimal unsecurity!
A privileged user like root can read the mailbox of another user simple
by typing:
USER root
PASS *******
MBOX /var/spool/mail/<user name>
the major focus is for the server having only mailbox account. Suppose
someone stole the root's password, even without login shell he can read
any user's mailbox, from the net.
[REW: Or normal users having just an pop account could read (parts of)
publicly readable files. -- Just a little surprise to keep in mind if
you ever need an airtight setup....]
Ciao!