Bugtraq mailing list archives

Re: serious Qpopper 3.0 vulnerability

From: jhigham () BIGSKY NET (Josh Higham)
Date: Tue, 30 Nov 1999 10:54:03 -0700


-----Original Message-----
From: Mixter <mixter () NEWYORKOFFICE COM>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Tuesday, November 30, 1999 10:23 AM
Subject: serious Qpopper 3.0 vulnerability

PS: The installation file suggests to run qpopper without tcpd, e.g.:
pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
I would NOT suggest doing it that way. Use:
pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
instead. At least for me it works behind a tcp wrapper, and that way,
you can use access control and every connection _attempt_ gets logged.


Does anyone know why qpopper suggests running without wrappers?  Does it
lose some functionality that way, or is it deadwood from a previous
incompatibility between tcpd and qpopper?  It seems pretty significant to
suggest not using wrappers, and I would expect a significant reason for
that, but I don't recall seeing anything about it in the docs.

Josh Higham

Current thread:

Re: serious Qpopper 3.0 vulnerability Josh Higham (Nov 30)
- Re: serious Qpopper 3.0 vulnerability M. Adam Kendall (Dec 01)
- <Possible follow-ups>
- Re: serious Qpopper 3.0 vulnerability Dan Groscost (Nov 30)
- Re: serious Qpopper 3.0 vulnerability Elgin Lee (Nov 30)
- Re: serious Qpopper 3.0 vulnerability Qpopper Support (Nov 30)