<<< Date Index >>>     <<< Thread Index >>>

Re: Security vulnerability in APOP authentication



Rocco Rutte <pdmef@xxxxxxx> writes:

> APOP IMHO should never be considered a secure way of authentication,
> it's just more secure than sending plain passwords over the wire. But
> yes, since the RfC says the "timestamp" must be syntacially valid
> message-id and mutt doesn't check it, there's some room of improvement.

I've just added rfc822valid.c to fetchmail's SVN[1] (GNU GPL),
which is a dangerously dedicated hand-written RD-parser to validate a
token (const unsigned char *) against rfc-822's msg-id syntax and
returns 0 for invalid and 1 for valid.

It doesn't handle NUL characters yet, since fetchmail stomps over them
anyways when downloading from the net. If NUL-proofing is desirable, we
need to extend the API by a length argument and revise some functions.

Feel free to adapt this stuff to mutt (and feed back improvements and
fixes if you don't mind :-)).

[1] http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c

Comments solicited.

-- 
Matthias Andree