Bugtraq mailing list archives
Re: Netscape Messaging server 4.15 poor error strings
From: James Mancini <jmancini () NETREO NET>
Date: Thu, 12 Oct 2000 12:43:47 -0700
I have also confirmed that CommuniGate Pro 3.3.2 exhibits the same behavior, but additionally, it does not pause on authentication failures for non-existent accounts. a 1-2 second pause is typical for an existing account, allowing either a timing or a parsing method of grabbing accounts. Post.Office 3.1.2 does not appear to suffer from this vulnerability. --8<--Sample output follows ---- +OK host.company.com POP3 server (Post.Office v3.1.2 release (PO203-101c) with ZPOP version 1.0) ready Thu, 12 Oct 2000 12:36:06 -0700 user nobody +OK Password required for nobody pass nothing -ERR Password failed for nobody user realuser +OK Password required for realuser pass nothing -ERR Password failed for realuser --8<--Sample output follows ---- +OK CommuniGate Pro POP3 Server 3.3.2 ready user nobody +OK please send the PASS pass nothing -ERR unknown user account user realuser +OK please send the PASS pass nothing -ERR incorrect password
Current thread:
- Netscape Messaging server 4.15 poor error strings Matt Holtz (Oct 12)
- Re: Netscape Messaging server 4.15 poor error strings James Mancini (Oct 13)