Bugtraq mailing list archives
Re: UW c-client library vulnerability
From: Josh Higham <jhigham () BIGSKY NET>
Date: Fri, 1 Sep 2000 16:49:26 -0600
-----Original Message----- From: Juhapekka Tolvanen <juhtolv () ST JYU FI> To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM> Date: Friday, September 01, 2000 3:56 PM Subject: UW c-client library vulnerability
It seems, that c-client libraries by University of Washington have some bug(s), that makes some programs that depend upon those libraries go crazy. AFAIK affected programs include at least Pine (read "pain"), ipop3d and IMAPD. And those programs and libraries are commonly used in Unixes. I don't know, if any patch, fix, work-around etc. exist.
Looks like all boxes get an extra message inserted. It looks something like this: ,----- | From MAILER-DAEMON Wed Aug 30 09:54:25 2000 | Delivery-Date: Thu May 11 21:51:47 2000 | Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST) | From: Mail System Internal Data <MAILER-DAEMON () host com> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
I don't know if it's the IMAP daemon or the pine client who is responsible for this.
The header may be causing some problems with PINE and/or IMAP that cause it to misparse the mailbox, but the 'INTERNAL DATA' message is created by the UW IMAP/POP3 daemon when you first connect. The first time it happened I couldn't figure out the problem, because I only used POP once or twice, normally using pine. Later I was responsible for a multiuser system, and every POP mailbox had that message. AFAIK it is coincidental that these people first saw it in pine after receiving your message. Perhaps they usually just POP, but after receiving that file used pine to investigate things? As a note if you change POP daemons from UW to something else, remember to delete that first message from the mailboxes, or your users will send you a message or two (hundred) :-). Josh Higham
Current thread:
- UW c-client library vulnerability Juhapekka Tolvanen (Sep 01)
- Re: UW c-client library vulnerability Jakub Bogusz (Sep 03)
- <Possible follow-ups>
- Re: UW c-client library vulnerability Josh Higham (Sep 02)