This information was previously discovered and announced by Dennis Lubert (plasmahhinformatik.uni-bremen.de). see http://archives.neohapsis.com/archives/bugtraq/2003-03/0227.html for original advisory. Marc Lafortune wrote: > ============================================================================= > > ConnecTalk Inc. Security Advisory > > Topic: Qpopper leaks information during authentication > > Vendor: Eudora > Product: qpopper 4.0.4 and qpopper 4.0.5 > Note: other versions have not been tested. > Problem found: May 14, 2003 > Vendor notification: May 14, 2003 > Second vendor notification: May 21, 2003 > Public notification: June 18, 2003 > > I. Background > > Qpopper is the most widely-used server for the POP3 protocol (this > allows users to access their mail using any POP3 client). Qpopper > supports the latest standards, and includes a large number of optional > features. Qpopper is normally used with standard UNIX mail transfer and > delivery agents such as sendmail or smail. > > II. Problem Description > > When Qpopper is in the authentication phase, using plain text passwords, > the response to the PASS command differs depending on the existance of > the USER. If a valid username and a wrong password are given, Qpopper > returns a negative reponse and waits for one more command before closing > the connection. If an invalid username and password are given, Qpopper > returns a negative response and disconnects right away. > > III. Impact > > A remote attacker can use this information leak to validate the > existance of a user account. > > -- Marc Lafortune Intégrateur / Integrator ConnecTalk Inc. http://www.connectalk.com tel: 514.856.3060
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 18:31:09 PDT