POP Password Changer Unauthorized Password Change Vulnerability
BID:12240
Info
POP Password Changer Unauthorized Password Change Vulnerability
| Bugtraq ID: | 12240 |
| Class: | Design Error |
| CVE: |
CVE-2005-0002 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 11 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | Discovery is credited to Marcus Hanwell. |
| Vulnerable: |
poppassd_pam poppassd_pam 1.0 poppassd_ceti poppassd_ceti 1.0 |
| Not Vulnerable: |
poppassd_ceti poppassd_ceti 1.8.4 |
Discussion
POP Password Changer Unauthorized Password Change Vulnerability
poppassd_pam is reported prone to a vulnerability that may allow remote unauthorized users to change passwords. This issue can potentially allow an attacker to gain superuser privileges on a vulnerable computer.
Reportedly, the application does not check the validity of old passwords before changing a password.
poppassd_pam 1.0 is affected by this vulnerability.
poppassd_pam is reported prone to a vulnerability that may allow remote unauthorized users to change passwords. This issue can potentially allow an attacker to gain superuser privileges on a vulnerable computer.
Reportedly, the application does not check the validity of old passwords before changing a password.
poppassd_pam 1.0 is affected by this vulnerability.
Exploit / POC
POP Password Changer Unauthorized Password Change Vulnerability
An exploit is not required.
An exploit is not required.
Solution / Fix
POP Password Changer Unauthorized Password Change Vulnerability
Solution:
Gentoo has released an advisory (GLSA 200501-22) to address this issue, encouraging users to migrate to poppassd_ceti 1.8.4. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"
Please see the referenced Gentoo advisory for more information.
Solution:
Gentoo has released an advisory (GLSA 200501-22) to address this issue, encouraging users to migrate to poppassd_ceti 1.8.4. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"
Please see the referenced Gentoo advisory for more information.
References
POP Password Changer Unauthorized Password Change Vulnerability
References:
References:
- poppassd_pam Product Page (POP Password Changer)