<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #2846: Security vulnerability in APOP authentication



#2846: Security vulnerability in APOP authentication

Comment (by Matthias Andree):

 {{{
 Brendan Cully <brendan@xxxxxxxxxx> writes:

 >> May I again offer to use my code here which I deem a *COMPLETE*
 >> RFC822-validation:
 >> <http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c>
 >
 > I'm afraid that doing heavy validation may introduce interoperability
 > problems with some buggy POP servers. Since odd timestamps are
 > generally harmless in this context, I'd rather do the minimum needed
 > to suppress this vulnerability than enforce strict compliance with the
 > RFC.

 I have yet to see a server that sends a broken APOP challenge
 (timestamp). Those I checked were all very conservative.

 And making users complain to their ISPs about broken servers is also a
 good thing.

 APOP is "for lack of a stronger authenticator" anyways, and since my
 upstreams all have at least proper SSL certificates that I can validate
 to fend off MITM attacks, I couldn't care less about
 interoperability.

 The code as shown works on the servers I have access to - that's about
 as much as matters to me.

 I'm well aware that this isn't representative, yet I think that the more
 you accept, the more susceptible you are to Leurent's CVE-2007-1558
 attack - and that's avoidable.
 }}}

-- 
Ticket URL: <http://www.mutt.org/ticket/2846#comment:>