On Tue, Feb 29, 2000 at 02:44:08PM +0100, Markus Wuebben wrote:
> Is this known?
Yes.
Is this true? No.
> A complete description of the problem can be found
> at http://www.inter7.com/vpopmail/exploit.html
qmail is not at fault here. vpopmail is. qmail-pop3d indeed does not limit
the username length, but the way I read RFC1939 it is the client which
is not allowed to send a username over 40 characters. It is up to the server
to handle these too long usernames. qmail-pop3d conforms to RFC1939 in that
it allows usernames of up to 40 characters. That it also supports even
longer usernames is not forbidden.
vpopmail allows input (indirectly from a user) to overflow a buffer. That
is a programming error, and a bad one too.
Greetz, Peter.
--
Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
|
| 'C makes it easy to shoot yourself in the foot;
| C++ makes it harder, but when you do it blows your whole leg off.'
| Bjarne Stroustrup, Inventor of C++
