Re: #2846: Security vulnerability in APOP authentication

To: matthias.andree@xxxxxx
Subject: Re: #2846: Security vulnerability in APOP authentication
From: Matthias Andree <matthias.andree@xxxxxx>
Date: Sat, 07 Apr 2007 22:02:28 +0200
Cc: mutt-dev@xxxxxxxx, fleas@xxxxxxxx
In-reply-to: <20070407192710.GA626@xxxxxxxxxxxxxxxxx> (Brendan Cully's message of "Sat\, 7 Apr 2007 12\:27\:11 -0700")
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
References: <qlkveh36fm7.fsf@xxxxxxxxxxxxxx> <20070315103349.GB9831@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <m3zm6b2tlu.fsf@xxxxxxxxxxxxxxxxxxxx> <20070318173604.GA6108@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20070402223113.GA25363@xxxxxxxxxxxxxxxxx> <m3veg8f0qv.fsf@xxxxxxxxxxxxxxxxxxxx> <20070407192710.GA626@xxxxxxxxxxxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (gnu/linux)

Brendan Cully <brendan@xxxxxxxxxx> writes:

>> May I again offer to use my code here which I deem a *COMPLETE*
>> RFC822-validation:
>> <http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c>
>
> I'm afraid that doing heavy validation may introduce interoperability
> problems with some buggy POP servers. Since odd timestamps are
> generally harmless in this context, I'd rather do the minimum needed
> to suppress this vulnerability than enforce strict compliance with the
> RFC.

I have yet to see a server that sends a broken APOP challenge
(timestamp). Those I checked were all very conservative.

And making users complain to their ISPs about broken servers is also a
good thing.

APOP is "for lack of a stronger authenticator" anyways, and since my
upstreams all have at least proper SSL certificates that I can validate
to fend off MITM attacks, I couldn't care less about
interoperability.

The code as shown works on the servers I have access to - that's about
as much as matters to me.

I'm well aware that this isn't representative, yet I think that the more
you accept, the more susceptible you are to Leurent's CVE-2007-1558
attack - and that's avoidable.

-- 
Matthias Andree

References:
- Security vulnerability in APOP authentication
  - From: Gaëtan LEURENT
- Re: Security vulnerability in APOP authentication
  - From: Rocco Rutte
- Re: Security vulnerability in APOP authentication
  - From: Matthias Andree
- Re: Security vulnerability in APOP authentication
  - From: Rocco Rutte
- #2846: Security vulnerability in APOP authentication
  - From: Brendan Cully
- Re: #2846: Security vulnerability in APOP authentication
  - From: Matthias Andree
- Re: #2846: Security vulnerability in APOP authentication
  - From: Brendan Cully

Prev by Date: Re: [Mutt] #2871: #367405: command-line completion backspaces instead
Next by Date: Re: [Mutt] #2846: Security vulnerability in APOP authentication
Previous by thread: Re: #2846: Security vulnerability in APOP authentication
Next by thread: Re: Security vulnerability in APOP authentication
Index(es):
- Date
- Thread