Bugtraq mailing list archives
Re: Problems with FTGate
From: glynn () SENSEI CO UK (Glynn Clements)
Date: Thu, 29 Jun 2000 07:47:43 +0100
Jeremy C. Reed wrote:
FTGate's POP3 server responds to invalid USER requests with a -ERR code and doesn't disconnect you. This means that it is possible to bruteforce usernames and passwords with ease.What does "invalid USER requests" mean? It is normal for (at least RFC 1939-based) POP3 servers to output an "-ERR" message and to then allow the user to attempt another USER/PASS attempt. From RFC 1939: To authenticate using the USER and PASS command combination, the client must first issue the USER command. If the POP3 server responds with a positive status indicator ("+OK"), then the client may issue either the PASS command to complete the authentication, or the QUIT command to terminate the POP3 session. If the POP3 server responds with a negative status indicator ("-ERR") to the USER command, then the client may either issue a new authentication command or may issue the QUIT command.
RFC 1939 goes on to say: The server may return a positive response even though no such mailbox exists. The server may return a negative response if mailbox exists, but does not permit plaintext password authentication. AFAIK, it is considered good practice not to make any distinction between a bad username and a good username with a bad password when performing username/password authentication. The UCD-derived pop3d works this way: +OK cerise POP3 Server (Version 1.005l) ready at <Thu Jun 29 07:45:26 2000> USER foo +OK please send PASS command PASS xyz -ERR invalid usercode or password, please try again [NB: user "foo" does not exist.] -- Glynn Clements <glynn () sensei co uk>
Current thread:
- Problems with FTGate Andrew Lewis (Jun 26)
- Re: Problems with FTGate Jeremy C. Reed (Jun 27)
- Re: Problems with FTGate Glynn Clements (Jun 28)
- Re: Problems with FTGate Jeremy C. Reed (Jun 27)