Inter7 Vpopmail Authentication Bypass Vulnerability
BID:17894
CVE-2006-2346 |Info
Inter7 Vpopmail Authentication Bypass Vulnerability
| Bugtraq ID: | 17894 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 08 2006 12:00AM |
| Updated: | May 09 2006 09:39PM |
| Credit: | The vendor disclosed this vulnerability. |
| Vulnerable: |
Inter7 vpopmail (vchkpw) 5.4.15 Inter7 vpopmail (vchkpw) 5.4.14 |
| Not Vulnerable: |
Inter7 vpopmail (vchkpw) 5.4.16 |
Discussion
Inter7 Vpopmail Authentication Bypass Vulnerability
Inter7 vpopmail is susceptible to a remote authentication-bypass vulnerability. This issue is due to a logic flaw in the application while handling plaintext password authentication during SMTP AUTH or APOP connections.
This issue allows remote attackers to bypass authentication checks and to gain unauthorized access to SMTP and POP servers. This may aid them in further attacks.
Versions 5.4.14 and 5.4.15 of vpopmail are vulnerable to this issue; other versions may also be affected.
Inter7 vpopmail is susceptible to a remote authentication-bypass vulnerability. This issue is due to a logic flaw in the application while handling plaintext password authentication during SMTP AUTH or APOP connections.
This issue allows remote attackers to bypass authentication checks and to gain unauthorized access to SMTP and POP servers. This may aid them in further attacks.
Versions 5.4.14 and 5.4.15 of vpopmail are vulnerable to this issue; other versions may also be affected.
Exploit / POC
Inter7 Vpopmail Authentication Bypass Vulnerability
Attackers may use standard mail client applications or readily available network utilities to exploit this issue.
Attackers may use standard mail client applications or readily available network utilities to exploit this issue.
Solution / Fix
Inter7 Vpopmail Authentication Bypass Vulnerability
Solution:
The vendor has released version 5.4.16 to address this issue.
Inter7 vpopmail (vchkpw) 5.4.14
Inter7 vpopmail (vchkpw) 5.4.15
Solution:
The vendor has released version 5.4.16 to address this issue.
Inter7 vpopmail (vchkpw) 5.4.14
-
Inter7 vpopmail-5.4.16.tar.gz
http://prdownloads.sourceforge.net/vpopmail/vpopmail-5.4.16.tar.gz?dow nload
Inter7 vpopmail (vchkpw) 5.4.15
-
Inter7 vpopmail-5.4.16.tar.gz
http://prdownloads.sourceforge.net/vpopmail/vpopmail-5.4.16.tar.gz?dow nload
References
Inter7 Vpopmail Authentication Bypass Vulnerability
References:
References:
- Release Name: 5.4.16 (Inter7)
- vpopmail Home Page (Inter7)