[tpop3d-discuss]BUG ? - empty password allows any password
Jose de Paula Eufrásio Junior
jjunior at pib.com.br
Mon, 05 Jul 2004 10:52:04 -0300
I just stumbled on that:
user@domain can login in pop3 (tpop3d) but not in imap. looking at the
database I see that:
password_hash = {crypt}
and a normal user has something like
password_hash = {crypt}HsQP/FxpSt3h2
Then, using any random password I can login in the pop3 account of the
user. Meaning, users with an incomplete password can use any password to
login.
I'm using:
tpop3d, version 1.5.3
Available authentication drivers:
auth-pam Uses Pluggable Authentication Modules
auth-mysql Uses a MySQL database
Available mailbox drivers:
maildir Qmail-style maildir
empty Empty mailbox
Enabled features:
Mass virtual hosting
Suppress C-client metadata
------------
/etc/tpop3d.conf
listen-address: 0.0.0.0
max-children: 200
timeout-seconds: 600
#Onde estao os emails?
mailbox:
maildir:/var/spool/mail/$(local_part[0])/$local_part/$(user[0])/$(user)/Maildir
#Autenticacao!
auth-pam-enable: false
auth-mysql-enable: true
auth-mysql-database: virtualemail
auth-mysql-username: ****
auth-mysql-password: ****
# Logando
log-facility: local0
# Queries
auth-mysql-pass-query: SELECT concat(domain.path, '/',
popbox.mbox_name), popbox.password_hash, domain.unix_user, 'maildir'
FROM popbox, domain WHERE popbox.local_part = '$(local_part)' AND
popbox.domain_name = '$(domain)' AND popbox.domain_name = domain.domain_name
------------------------------------
thanks
--
José de Paula Eufrásio Júnior
Analista de Sistema | CPD
ProInternet do Brasil