oss-sec mailing list archives

Re: CVE request: dovecot unauthorized login

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 9 Mar 2008 20:13:45 -0400 (EDT)

Subject: [Dovecot-news] Security hole #6: Some passdbs allowed users
to log        in without a    valid password
Date: Sun, 09 Mar 2008 13:09:44 +0200
From: Timo Sirainen <tss () iki fi>
Reply-To: dovecot () dovecot org
To: Dovecot News List <dovecot-news () dovecot org>
CC: Dovecot Mailing List <dovecot () dovecot org>

...

The main problem is that Dovecot's internal protocols use TAB character
as a delimiter, but passwords were sent unescaped through them. So
passwords containing TAB characters allowed to add new internal fields.
The main problem here is a new "skip_password_check" field added in
v1.0.11 to fix problems with master user logins. Specifying this field
allowed the user to skip the password check, as the name implies.


Use CVE-2008-1218

- Steve

Current thread:

CVE request: dovecot unauthorized login Jonathan Smith (Mar 09)
- Re: CVE request: dovecot unauthorized login Steven M. Christey (Mar 09)
- Re: CVE request: dovecot unauthorized login Steven M. Christey (Mar 10)
  - Re: CVE request: dovecot unauthorized login Jonathan Smith (Mar 10)
    - Re: CVE request: dovecot unauthorized login Steven M. Christey (Mar 10)