QPOPPER: Password problem

QPOPPER: Password problem

Post by Glen » Fri, 27 Sep 1996 04:00:00

I recently installed Qpopper on my AT&T sysV machine.  The sysv make
wouldn't compile, so I compiled it error-free using the unixware make.  I
have the POP3 server up and running, but it won't recognize any passwords.
The system uses shadow passwording, so in the make file, I set the AUTH
parameter to "AUTH = /etc/password."

I probably don't have AUTH set correctly in the make file, huh?  If you
know what I should do, please let me know!

Glenn Johnson


1. SECURITY Vulnerability on qpopper 2.53 : qpopper 3.x port on FreeBSD ?


As I saw that there is a security bug with qpopper 2.53 (see below) which is
provided by all FreeBSD distribution as the only port, I was wondering
if there is someone working on the qpopper 3.02 port.

Thanks in advance for your help.                Gildas.

Qpopper development has learned of a security vulnerability in
Qpopper 2.53 (and older).  All users of Qpopper are urged to upgrade
to 3.0.2 or later.

The details have been reported to CERT and BugTraq.  The exploit
involves sending a specially-constructed message to a user, then
logging in as that user and issuing the EUIDL command.  A successful
attack can yield a shell running with group 'mail'.

  It is important to note that the attack:

    1.  Requires the ability to log in as a user.
    2.  Can at most give a shell with uid of the user and gid of mail,
potentially allowing access to other user's mail.
    3.  Will be logged.
    4.  Requires Qpopper 2.53 or older.  The current released version is 3.0.2.

In addition, not all sites use group 'mail' or have Qpopper set to
run with gid=mail, or have spools owned by group 'mail' and have rw
group access.  However, this is a very common configuration.

Qpopper 3.0 has additional protections against buffer overflows; this
exploit proves the usefulness of this approach.


Fluxus, 28 rue Desaix, 75015 Paris ---_`\<,_
http://www.fluxus.net           ---- (_)/ (_)
"En 2000, FranceNet change de nom et devient Fluxus"
"In 2000, FranceNet changes its name and becomes Fluxus"

2. Networking Linux

3. compiling qpopper with shadow password support

4. Windows 95 on old 386 notebook: pros and cons ?

5. QPopper & Shadow passwords

6. Starting PCNFSD

7. qpopper "password incorrect"

8. Need KPanel to go away; Kppp says PPP not supported by kernel

9. Qpopper and passwords

10. qpopper with shadow password

11. qpopper and shadow passwords

12. netscape + qpopper under linux = "incorrect password" : H E L P ! ! !

13. Can't set root password- Password busy error -is not due to temp password file