|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Netscape Messaging server 4.15 poor error strings
From: James Mancini (jmancini
NETREO.NET)Date: Thu Oct 12 2000 - 14:43:47 CDT
- Next message: Renzo Toma: "Apache 1.3.14 Released"
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:57.muh"
- In reply to: Matt Holtz: "Netscape Messaging server 4.15 poor error strings"
- Reply: James Mancini: "Re: Netscape Messaging server 4.15 poor error strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have also confirmed that CommuniGate Pro 3.3.2 exhibits the same behavior,
but additionally, it does not pause on authentication failures for
non-existent accounts. a 1-2 second pause is typical for an existing
account, allowing either a timing or a parsing method of grabbing accounts.
Post.Office 3.1.2 does not appear to suffer from this vulnerability.
--8<--Sample output follows ----
+OK host.company.com POP3 server (Post.Office v3.1.2 release (PO203-101c)
with ZPOP version 1.0) ready Thu, 12 Oct 2000 12:36:06 -0700
user nobody
+OK Password required for nobody
pass nothing
-ERR Password failed for nobody
user realuser
+OK Password required for realuser
pass nothing
-ERR Password failed for realuser
--8<--Sample output follows ----
+OK CommuniGate Pro POP3 Server 3.3.2 ready
user nobody
+OK please send the PASS
pass nothing
-ERR unknown user account
user realuser
+OK please send the PASS
pass nothing
-ERR incorrect password
- Next message: Renzo Toma: "Apache 1.3.14 Released"
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:57.muh"
- In reply to: Matt Holtz: "Netscape Messaging server 4.15 poor error strings"
- Reply: James Mancini: "Re: Netscape Messaging server 4.15 poor error strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]