QPopper 4.0.4 buffer overflow

From: Marcell Fodor (m.fodorat_private)
Date: Sun Apr 28 2002 - 12:24:51 PDT

Next message: Steven M. Christey: "Re: Buffer overflow or overrun?"

Previous message: Alex Lambert: "Multiple CSS/XSS vulnerabilities on directNIC.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Affected versions 4.0.3 and 4.0.4. default install. Servers, not processing user`s configuration file (~/.qpopper-options) are insensible to this bug. pop_bull.c ----------- int CopyOneBull ( POP *p, long bnum, char *name ) { FILE *bull; char buffer [ MAXMSGLINELEN ]; BOOL in_header = TRUE; BOOL first_line = TRUE; int nchar; int msg_num; int msg_vis_num = 0; int msg_ends_in_nl = 0; char bullName [ 256 ]; MsgInfoList *mp; . . . sprintf ( bullName, "%s/%s", p->bulldir, name ); ------------ The bullNmae buffer is 256 bytes long, but in the user`s config file you can define it up to MAXLINELEN-1-sizeof ("set bulldir=") 1010 bytes. ~/.qpopper-options -------------- set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA -------------- more info: http://mantra.freeweb.hu Regards, Marcell Fodor

Next message: Steven M. Christey: "Re: Buffer overflow or overrun?"
Previous message: Alex Lambert: "Multiple CSS/XSS vulnerabilities on directNIC.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 28 2002 - 16:36:56 PDT