[15670] in bugtraq
Re: FTGate and POP3 protocol
daemon@ATHENA.MIT.EDU (Jeremy C. Reed)
Thu Jul 6 16:54:02 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSI.4.21.0007051615210.21879-100000@mail.postalzone.com>
Date: Wed, 5 Jul 2000 16:23:34 -0700
Reply-To: "Jeremy C. Reed" <jcr@IWBC.NET>
From: "Jeremy C. Reed" <jcr@IWBC.NET>
X-To: Andrew Lewis <wizdumb@UNIX.ZA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.10007021523290.45406-100000@unix.za.net>
On Sun, 2 Jul 2000, Andrew Lewis wrote:
> Yeah, it's official - it's a problem with the POP3 protocol rather than
> with FTGate specifically. Other affected daemons are gnu-pop3d,
gnu-pop3d does not act this way.
> Although returning a -ERR code when an inalid username is given *is* RFC
> compliant, and that there is the delay feature to slow-down bruteforcing,
> it's still a fairly stupid idea. :/
In the following examples, jcr is a real/valid user and bogususer is an
invalid user:
+OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1163.962839007@jcr2.iwbc.net>
user jcr
+OK
pass 12345
-ERR Bad login
+OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1165.962839016@jcr2.iwbc.net>
user bogususer
+OK
pass 12345
-ERR Bad login
(My previous posting about gnu-pop3d was unclear. I also misunderstood
the original posting -- I thought that it was saying that if the USER
didn't authenticate with PASS then it should disconnect.)
Jeremy C. Reed
-----------------------------------------
IWBC ISP Services
jcr@iwbc.net
