Hello to all, I detected a security bug in Courier IMAP (even in 1.4.0). The problem is: when LDAP is used, with LDAP_AUTHBIND enabled and also LDAP_TLS enabled, courier does the following: 1. connect to the server on conn1 2. enable tls on conn1 3. search for the given user to retrieve the full DN 4. if found, creates conn2 to the server 5. on conn2 it binds with the users's DN and given password 6. if ok, the user is authenticated
The problem is that conn2 hasn't TLS on it, because it's a new connection and so the password is sent in CLEAR! Thus the TLS is used only for searching the user's DN, which is less critical than the password. I detected this when running OpenLDAP 2.0.18 with ssf=128 for the bind operation (which doesn't allow any binds without strong? security). Attached is a patch for Courier IMAP 1.4.0 which moves the start_tls from ldapopen() function into a function of its own, enable_tls_on(LDAP *conn), which is then called for both connections, once from ldapopen for the first connection, and from auth_ldap_do() for the bind connection. I don't know where to post this patch for inclusion (if it's ok and well done), so I posted here. Please some kind souls tell me where to forward it. Iustin Pop _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
