vpopmail Cleartext Password Authentication Bypass

2006-05-08T06:02:38
ID OSVDB:25445
Type osvdb
Reporter OSVDB
Modified 2006-05-08T06:02:38

Description

Vulnerability Description

vpopmail contains a flaw that may allow a malicious user to bypass certain security restrictions. The issue is triggered due to an error within the handling of SMTP AUTH and APOP password authentication. It is possible that the flaw may allow an attacker to authenticate to the mail server using a blank password resulting in a loss of confidentiality.

Technical Description

cleartext password authentication must be enabled and the victim account must not have a cleartext password set.

Solution Description

Upgrade to version 5.4.16 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

vpopmail contains a flaw that may allow a malicious user to bypass certain security restrictions. The issue is triggered due to an error within the handling of SMTP AUTH and APOP password authentication. It is possible that the flaw may allow an attacker to authenticate to the mail server using a blank password resulting in a loss of confidentiality.

References:

Vendor URL: http://www.inter7.com/vpopmail.html Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=415350 Secunia Advisory ID:19987 FrSIRT Advisory: ADV-2006-1698 CVE-2006-2346 Bugtraq ID: 17894