Bugtraq mailing list archives
Re: Security hole in imapd - pine 3.96 affected?
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 9 Apr 1997 01:33:32 -0500
+--- | From mrc () cac washington edu Tue Apr 8 09:26:34 1997 | Date: Tue, 4 Mar 1997 15:22:05 -0800 | From: Mark Crispin <mrc () cac washington edu> | To: pine-info () cac washington edu | Subject: Re: Pine 3.96 | | On 4 Mar 1997, Jody Housman wrote: | > After building 3.96, I checked log_std.c code, and it appears to be the | > same as what SNI calls the flawed code. Has the security hole been fixed | > in some other way such as increasing the size of the username buffer? | | Yes. Instead of changing the flawed code, there is a booby trap in 3.96 | to catch people who try to exploit it. Attempts to trigger the security | hole will never get to the flawed code, but will cause a "Crack attempt" | syslog alert. Also, the advertised banner did not change in 3.96, to make | it difficult for a bad guy to tell the difference between a vulnerable | 3.95 server and a non-vulnerable 3.96 server. | | Perhaps knowledge this might deter bad guys from trying to exploit this | bug. Then again, those of us who have a life have a hard time in | fathoming the thought processes of those who do not. | | In the as-yet unreleased Pine 4.0 (and the current released imap-4.1 | toolkit), the banners changed, so there seemed to be no point in having | the booby trap. The flawed code is gone entirely in this version. | | Unless you have a special reason to continue to run IMAP2bis based | servers, I recommend that you run the servers in the imap-4.1 toolkit: | ftp://ftp.cac.washington.edu/mail/imap.tar.Z | since this version supports IMAP4rev1 and POP3 with UIDL. | | -- Mark -- | | Unsolicited commercial email is NOT welcome at this email address. +---
Current thread:
- Re: Security hole in imapd - pine 3.96 affected? Aleph One (Apr 08)