aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fetchmail-SA-2007-01.txt12
1 files changed, 8 insertions, 4 deletions
diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt
index 7c224f93..19bb91c9 100644
--- a/fetchmail-SA-2007-01.txt
+++ b/fetchmail-SA-2007-01.txt
@@ -1,6 +1,6 @@
fetchmail-SA-2007-01: APOP considered insecure
-Topics: The POP3/APOP authentication, by itself, is considered broken.
+Topics: APOP authentication insecure, fetchmail implementation lax
Author: Matthias Andree
Version: 1.0
@@ -44,9 +44,13 @@ control) files for fetchmail.
The POP3 standard, currently RFC-1939, has specified an optional,
MD5-based authentication scheme called "APOP".
-Fetchmail's POP3 client implementation however has happily accepted
-random garbage as a POP3 server's APOP challenge, rather than insisting
-that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+APOP should no longer be considered secure.
+
+Additionally, fetchmail's POP3 client implementation has been validating
+the APOP challenge too lightly and accepted random garbage as a POP3
+server's APOP challenge, rather than insisting that the APOP challenge
+conformed to RFC-822, as required by RFC-1939.
+
This made it easier than necessary for man-in-the-middle attackers to
retrieve by several probing and guessing the first three characters of
the APOP secret, bringing brute forcing the remaining characters well