Re: #2846: Security vulnerability in APOP authentication
Brendan Cully <brendan@xxxxxxxxxx> writes:
>> May I again offer to use my code here which I deem a *COMPLETE*
>> RFC822-validation:
>> <http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c>
>
> I'm afraid that doing heavy validation may introduce interoperability
> problems with some buggy POP servers. Since odd timestamps are
> generally harmless in this context, I'd rather do the minimum needed
> to suppress this vulnerability than enforce strict compliance with the
> RFC.
I have yet to see a server that sends a broken APOP challenge
(timestamp). Those I checked were all very conservative.
And making users complain to their ISPs about broken servers is also a
good thing.
APOP is "for lack of a stronger authenticator" anyways, and since my
upstreams all have at least proper SSL certificates that I can validate
to fend off MITM attacks, I couldn't care less about
interoperability.
The code as shown works on the servers I have access to - that's about
as much as matters to me.
I'm well aware that this isn't representative, yet I think that the more
you accept, the more susceptible you are to Leurent's CVE-2007-1558
attack - and that's avoidable.
--
Matthias Andree