Hello, during development of a pop3 tool I found an issue that makes it possible for any user to check the validity of a user on a target system. If a user is valid and an invalid password has been supplied, then the system waits ~10 seconds until it sends a disconnect message and disconnect. If the username was not correct, then it disconnect immediately after the wrong password. This makes it possible to scan a server for valid users, to generate spam sending lists, or to check a username for another kind of attack. Tested against qpopper 3.1 and 4.0.4, others might be affected as well. Attached is the source code for a program that will do a simple check on a pop3 server. Additionally qpopper will also return an answer if the username supplied has a UID < 100 (< 10 for 3.1), which will also been checked. The fix should be simple, there must be a usleep() call or similar that should either be deleted, or added also to the part where the username was not correct. greets Dennis
This archive was generated by hypermail 2b30 : Sat Mar 15 2003 - 14:15:05 PST