[12786] in bugtraq
Re: serious Qpopper 3.0 vulnerability
daemon@ATHENA.MIT.EDU (Josh Higham)
Wed Dec 1 12:21:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <0b6001bf3b5b$e42d4ce0$16e1fcce@adhara.bigsky.net>
Date: Tue, 30 Nov 1999 10:54:03 -0700
Reply-To: Josh Higham <jhigham@BIGSKY.NET>
From: Josh Higham <jhigham@BIGSKY.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
-----Original Message-----
From: Mixter <mixter@NEWYORKOFFICE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
Date: Tuesday, November 30, 1999 10:23 AM
Subject: serious Qpopper 3.0 vulnerability
>PS: The installation file suggests to run qpopper without tcpd, e.g.:
>pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
>I would NOT suggest doing it that way. Use:
>pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
>instead. At least for me it works behind a tcp wrapper, and that way,
>you can use access control and every connection _attempt_ gets logged.
Does anyone know why qpopper suggests running without wrappers? Does it
lose some functionality that way, or is it deadwood from a previous
incompatibility between tcpd and qpopper? It seems pretty significant to
suggest not using wrappers, and I would expect a significant reason for
that, but I don't recall seeing anything about it in the docs.
Josh Higham
