Bugtraq mailing list archives
Re: Problems with FTGate
From: jcr () IWBC NET (Jeremy C. Reed)
Date: Tue, 27 Jun 2000 18:13:41 -0700
On Mon, 26 Jun 2000, Andrew Lewis wrote:
FTGate's POP3 server responds to invalid USER requests with a -ERR code and doesn't disconnect you. This means that it is possible to bruteforce usernames and passwords with ease.
What does "invalid USER requests" mean? It is normal for (at least RFC 1939-based) POP3 servers to output an "-ERR" message and to then allow the user to attempt another USER/PASS attempt.
From RFC 1939:
To authenticate using the USER and PASS command combination, the client must first issue the USER command. If the POP3 server responds with a positive status indicator ("+OK"), then the client may issue either the PASS command to complete the authentication, or the QUIT command to terminate the POP3 session. If the POP3 server responds with a negative status indicator ("-ERR") to the USER command, then the client may either issue a new authentication command or may issue the QUIT command. This issue (problem?) exists in several other POP3 servers, including the patched (for virtual domains) version of gnu-pop3d that I use. RFC 2449 has a capability idea called LOGIN-DELAY that may partially help this problem. Since most POP3 connectsions are done via a script or a program (not manually), I agree that a POP3 server should close the connection after an "-ERR" in the authorization state. (Of course, a more serious problem is using plain POP3 to transfer plain-text usernames and passwords -- but that's another discussion.) Jeremy Reed http://www.iwbc.net/ http://bsd.reedmedia.net/
Current thread:
- Problems with FTGate Andrew Lewis (Jun 26)
- Re: Problems with FTGate Jeremy C. Reed (Jun 27)
- Re: Problems with FTGate Glynn Clements (Jun 28)
- Re: Problems with FTGate Jeremy C. Reed (Jun 27)