Bugtraq mailing list archives
Re: PHPXMAIL - Authentication Bypass
From: security () surefoot com
Date: Wed, 6 Jul 2005 14:04:10 -0600
Hi Steve On Wednesday 06 July 2005 11:57, Steve <St> wrote:
Author: Stefan Lochbihler Date: 6. Juli 2005 Affected Software: PHPXMAIL Software Version: 0.7 -> 1.1 Software URL: http://phpxmail.sourceforge.net/ Attack: Authentication Bypass
[...details snipped...]
The problem occurs when we try to log in with an overlong password because we get no response message from the server and the function dont exit. Now when we login with a username like postmaster@localhost and an overlong password we bypass the error handler and successfully log in.
[...]
Solution: Maybe insert a maxsize tag to the passwords input field. Discovered by Steve
Erm... a maxsize tag will not prevent the attack at all. J -- There is no such thing as fortune. Try again.
Current thread:
- PHPXMAIL - Authentication Bypass Steve (Jul 06)
- Re: PHPXMAIL - Authentication Bypass security (Jul 06)