[30472] in bugtraq
Re: ConnecTalk Security Advisory: Qpopper leaks information during
daemon@ATHENA.MIT.EDU (Justin Wheeler)
Wed Jun 18 17:38:29 2003
Date: Wed, 18 Jun 2003 16:09:15 -0400 (EDT)
From: Justin Wheeler <jwheeler@datademons.com>
To: bugtraq@securityfocus.com
In-Reply-To: <3EF0B2E0.2020306@connectalk.com>
Message-ID: <Pine.LNX.4.44.0306181608430.12303-100000@neo>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
This bug does not exist in QPopper 3.x, as it simply closes the connection
regardless of whether the username is valid or not.
Regards,
Justin Wheeler
--
Programmer - A red-eyed, mumbling mammal capable of conversing with inanimate objects.
On Wed, 18 Jun 2003, Marc Lafortune wrote:
> =============================================================================
> ConnecTalk Inc. Security Advisory
>
> Topic: Qpopper leaks information during authentication
>
> Vendor: Eudora
> Product: qpopper 4.0.4 and qpopper 4.0.5
> Note: other versions have not been tested.
> Problem found: May 14, 2003
> Vendor notification: May 14, 2003
> Second vendor notification: May 21, 2003
> Public notification: June 18, 2003
>
> I. Background
>
> Qpopper is the most widely-used server for the POP3 protocol (this
> allows users to access their mail using any POP3 client). Qpopper
> supports the latest standards, and includes a large number of optional
> features. Qpopper is normally used with standard UNIX mail transfer and
> delivery agents such as sendmail or smail.
>
> II. Problem Description
>
> When Qpopper is in the authentication phase, using plain text passwords,
> the response to the PASS command differs depending on the existance of
> the USER. If a valid username and a wrong password are given, Qpopper
> returns a negative reponse and waits for one more command before closing
> the connection. If an invalid username and password are given, Qpopper
> returns a negative response and disconnects right away.
>
> III. Impact
>
> A remote attacker can use this information leak to validate the
> existance of a user account.
>
>
> --
> Marc Lafortune
> mlafortune@connectalk.com
> Intégrateur / Integrator
> ConnecTalk Inc.
> http://www.connectalk.com
>
>
>
>
>
