[405] in linux-security and linux-alert archive
Re: (fwd) [Linux-ISP] U R G E N T!!!! S E C U R I T Y A L E R T!!!!!!! READ NOW!!
daemon@ATHENA.MIT.EDU (Perry F Nguyen)
Wed Oct 4 19:19:36 1995
Date: Wed, 4 Oct 1995 15:57:38 -0700 (PDT)
From: Perry F Nguyen <pfnguyen@netcom22.netcom.com>
Reply-To: pfnguyen@netcom.com
To: Panzer Boy <panzer@dhp.com>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199510041528.LAA20720@dhp.com>
On Wed, 4 Oct 1995, Panzer Boy wrote:
[Mod: Quoting trimmed. --Jeff.]
> I have recently discovered a security flaw in pop3d Version 1.004 with
> shadow password support. (Not sure about the version without shadow
> support, but you might want to check). I discovered that after changing
> to shadow support and compiling and testing all of my programs (i.e.
> ftpd, pop3d, login, etc) that the pop3d allowed me to view anyone mail on
> my system, no matter what password I put in. Thinking that it was maybe
This is quite the problem with the compiled version of pop3d with
shadow, not a bug in the program itself. The person that compiled it
most likely removed the valid() function call in util.c which is what
checks for a proper password.
To properly fix this, one must compiled pop3d with valid.o from the
shadow suite, or include valid.o in libshadow.a
--
pub 1024/0D97E00D 1995/01/01 Perry "Huy" Francis Nguyen
Key fingerprint = CE 62 F2 01 33 87 9D 89 BC 53 8D 11 F9 A0 DE 8F
<pfnguyen@netcom.com> - FTP ftp://ftp.netcom.com/pub/pf/pfn
FTP or finger pfnguyen@netcom.com for PGP Public Key.
