bug & patch in unix pop2 server

Klamer Schutte -- Universiteit Twente klamer at mi.eltn.utwente.nl
Sat Feb 23 01:36:20 AEST 1991


With the pop2 server as supplied with the LifeLine mail program (part of
pc-nfs) it is possible to read (and delete) a random mailbox on the server.

The bug is that one can connect (with helo) without a passwd. The idea was that
this only should be used to detect the presence of mail; but with a following
fold command one can read any mailbox on the server. My fix is to go back
to the initial state (state 0) after the mail check.

To fix this bug, apply the patch below.

Klamer (.signature at end)

PS note that also several return 0; statements need to be added at the end of
   some functions. lint(1) should help!

--- cut here ---
*** popd.c.orig	Thu Dec 20 15:45:38 1990
--- popd.c	Fri Feb 22 14:37:44 1991
***************
*** 192,198 ****
  
  	strcpy (line, "+ POP2 Unix Server on ");
  	gethostname(&line[strlen(line)], 1024-strlen(line));
! 	strcat (line, "\r\n");
  
  	if (debug) setbuf (stdout, NULL);
  
--- 192,198 ----
  
  	strcpy (line, "+ POP2 Unix Server on ");
  	gethostname(&line[strlen(line)], 1024-strlen(line));
! 	strcat (line, " (KS 22/2/91)\r\n");
  
  	if (debug) setbuf (stdout, NULL);
  
***************
*** 281,288 ****
  				    if (check_user(myargv[1], myargv[2])) 
  					return (-1);
  				    msg_cnt = openit(mailbox);
! 				} else
  				    msg_cnt = checkit(mailbox);
  				sprintf (line, "#%d\r\n",msg_cnt);
  				net_out (line);
  				break;
--- 281,291 ----
  				    if (check_user(myargv[1], myargv[2])) 
  					return (-1);
  				    msg_cnt = openit(mailbox);
! 				} else {
  				    msg_cnt = checkit(mailbox);
+ 		/* no passwd, so only helo and quit are allowed -- KS 22/2/91 */
+ 				    next_state = 0;
+ 				}
  				sprintf (line, "#%d\r\n",msg_cnt);
  				net_out (line);
  				break;
-- 
Klamer Schutte
Faculty of electrical engineering -- University of Twente, The Netherlands
klamer at mi.eltn.utwente.nl	{backbone}!mcsun!mi.eltn.utwente.nl!klamer



More information about the Comp.sources.bugs mailing list