[17212] in bugtraq
Re: Netscape Messaging server 4.15 poor error strings
daemon@ATHENA.MIT.EDU (James Mancini)
Fri Oct 13 19:25:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <PNEMKPACPCPFPDEMDHEKMEKDCAAA.jmancini@netreo.net>
Date: Thu, 12 Oct 2000 12:43:47 -0700
Reply-To: James Mancini <jmancini@NETREO.NET>
From: James Mancini <jmancini@NETREO.NET>
X-To: Matt Holtz <mholtz@PUCK.NETHER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001011173048.A1952@voyager.net>
I have also confirmed that CommuniGate Pro 3.3.2 exhibits the same behavior,
but additionally, it does not pause on authentication failures for
non-existent accounts. a 1-2 second pause is typical for an existing
account, allowing either a timing or a parsing method of grabbing accounts.
Post.Office 3.1.2 does not appear to suffer from this vulnerability.
--8<--Sample output follows ----
+OK host.company.com POP3 server (Post.Office v3.1.2 release (PO203-101c)
with ZPOP version 1.0) ready Thu, 12 Oct 2000 12:36:06 -0700
user nobody
+OK Password required for nobody
pass nothing
-ERR Password failed for nobody
user realuser
+OK Password required for realuser
pass nothing
-ERR Password failed for realuser
--8<--Sample output follows ----
+OK CommuniGate Pro POP3 Server 3.3.2 ready
user nobody
+OK please send the PASS
pass nothing
-ERR unknown user account
user realuser
+OK please send the PASS
pass nothing
-ERR incorrect password
