# New Ticket Created by Charlie Brady # Please include the string: [perl #38806] # in the subject line of all future correspondence about this issue. # <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38806 >
Qpsmtpd::Auth doesn't validate LOGIN/PLAIN auth strings before dispatching to plugins, which can in turn expose inadequate validation in plugins, possibly leading to false positive authentication. See http://contribs.org/bugzilla/show_bug.cgi?id=1138 for one such case. --- qpsmtpd-0.31.1/lib/Qpsmtpd/Auth.pm 2005-11-18 04:45:36.000000000 -0500 +++ mezzanine_patched_qpsmtpd-0.31.1/lib/Qpsmtpd/Auth.pm 2006-03-26 11:58:27.000000000 -0500 @@ -240,12 +240,21 @@ } ( $passHash, $user, $passClear ) = split /\x0/, decode_base64($prekey); - + unless ($user && $passClear) + { + $session->respond(504, "Invalid authentification string"); + return DECLINED; + } } elsif ($mechanism eq "login") { if ( $prekey ) { ($passHash, $user, $passClear) = split /\x0/, decode_base64($prekey); + unless ($user && $passClear) + { + $session->respond(504, "Invalid authentification string"); + return DECLINED; + } } else {
