aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2007-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'fetchmail-SA-2007-01.txt')
-rw-r--r--fetchmail-SA-2007-01.txt12
1 files changed, 8 insertions, 4 deletions
diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt
index 7c224f93..19bb91c9 100644
--- a/fetchmail-SA-2007-01.txt
+++ b/fetchmail-SA-2007-01.txt
@@ -1,6 +1,6 @@
fetchmail-SA-2007-01: APOP considered insecure
-Topics: The POP3/APOP authentication, by itself, is considered broken.
+Topics: APOP authentication insecure, fetchmail implementation lax
Author: Matthias Andree
Version: 1.0
@@ -44,9 +44,13 @@ control) files for fetchmail.
The POP3 standard, currently RFC-1939, has specified an optional,
MD5-based authentication scheme called "APOP".
-Fetchmail's POP3 client implementation however has happily accepted
-random garbage as a POP3 server's APOP challenge, rather than insisting
-that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+APOP should no longer be considered secure.
+
+Additionally, fetchmail's POP3 client implementation has been validating
+the APOP challenge too lightly and accepted random garbage as a POP3
+server's APOP challenge, rather than insisting that the APOP challenge
+conformed to RFC-822, as required by RFC-1939.
+
This made it easier than necessary for man-in-the-middle attackers to
retrieve by several probing and guessing the first three characters of
the APOP secret, bringing brute forcing the remaining characters well
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 14:53:34 +0000