| VID |
18074 |
| Severity |
40 |
| Port |
106 |
| Protocol |
TCP |
| Class |
POP |
| Detailed Description |
The POP Password Changer, according to its banner, has an unauthorized access vulnerability. POP Password Changer (poppassd_pam) is a server to change system passwords and POP user's passwords for Linux operating systems. poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows a remote attacker to change passwords for arbitrary users. This vulnerability can allow an unauthenticated attacker to modify the password of a user and gain full access to the account.
* Note: This check solely relied on the banner of the remote POP Password Changer to assess this vulnerability, so this might be a False Positive.
* References:
http://freshmeat.net/projects/poppassd_pam/?branch_id=18872
* Platforms Affected:
poppassd_pam 1.0 and earlier
Linux Any version |
| Recommendation |
Apply the appropriate patch for this vulnerability, as listed in the Security Advisory reported by Wade Turland - Jan 11th 2005 at http://freshmeat.net/projects/poppassd_pam/?branch_id=18872
For Gentoo Linux:
Upgrade to the latest version of poppassd_pam (1.8.4 or later), as listed in Gentoo Linux Security Advisory GLSA 200501-22 at http://www.gentoo.org/security/en/glsa/glsa-200501-22.xml |
| Related URL |
CVE-2005-0002 (CVE) |
| Related URL |
12240 (SecurityFocus) |
| Related URL |
18866 (ISS) |
|
