CommuniGate Pro Email Address Verification Vulnerability
BID:1792
Info
CommuniGate Pro Email Address Verification Vulnerability
| Bugtraq ID: | 1792 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 12 2000 12:00AM |
| Updated: | Oct 12 2000 12:00AM |
| Credit: | This vulnerability was discovered and posted to the Bugtraq mailing list by James Mancini <[email protected]> on October 12, 2000. This vulnerability was discovered in relation to one of similar properties discovered in the Netscape Messaging Server by |
| Vulnerable: |
Stalker Communigate Pro 3.3.2 |
| Not Vulnerable: |
Stalker Communigate Pro 3.4 b3 |
Discussion
CommuniGate Pro Email Address Verification Vulnerability
Communigate Pro is an integrated Mail Transport Agent by Stalker Software, and is supported on multiple platforms. This software package displays a vulnerability in communication with the Post Office Protocol Version 3 (POP3) daemon included with the package. The problem occurs in the error response to invalid usernames and invalid passwords.
It is possible for a user to remotely connect to the POP3 daemon and, making use of a program to cycle through a list of usernames and passwords, verify existing users on the mail server. This vulnerability makes it possible for email address harvesters to populate lists with valid email address, allowing the harvester to (for example) send spam to valid user accounts.
Communigate Pro is an integrated Mail Transport Agent by Stalker Software, and is supported on multiple platforms. This software package displays a vulnerability in communication with the Post Office Protocol Version 3 (POP3) daemon included with the package. The problem occurs in the error response to invalid usernames and invalid passwords.
It is possible for a user to remotely connect to the POP3 daemon and, making use of a program to cycle through a list of usernames and passwords, verify existing users on the mail server. This vulnerability makes it possible for email address harvesters to populate lists with valid email address, allowing the harvester to (for example) send spam to valid user accounts.
Exploit / POC
CommuniGate Pro Email Address Verification Vulnerability
See discussion.
See discussion.
Solution / Fix
CommuniGate Pro Email Address Verification Vulnerability
Solution:
A fixed version has been released:
Stalker Communigate Pro 3.3.2
Solution:
A fixed version has been released:
Stalker Communigate Pro 3.3.2
-
Stalker Communigate Pro 3.4b3
http://www.stalker.com/download/