[tpop3d-discuss]BUG ? - empty password allows any password
Chris Lightfoot
chris at ex-parrot.com
Mon, 5 Jul 2004 15:15:41 +0100
On Mon, Jul 05, 2004 at 10:52:04AM -0300, Jose de Paula Eufrįsio Junior wrote:
> I just stumbled on that:
>
> user@domain can login in pop3 (tpop3d) but not in imap. looking at the
> database I see that:
>
> password_hash = {crypt}
>
> and a normal user has something like
>
> password_hash = {crypt}HsQP/FxpSt3h2
>
> Then, using any random password I can login in the pop3 account of the
> user. Meaning, users with an incomplete password can use any password to
> login.
i.e. if you set a blank password for a user, any user can
log in. This is consistent with the behvaiour of (say)
login if you have a blank password field in /etc/passwd
(if a little unintuitive). You can work around it by
adding a clause to the auth_mysql SELECT statement to
restrict it to users who have non-empty passwords.
> auth-mysql-pass-query: SELECT concat(domain.path, '/',
> popbox.mbox_name), popbox.password_hash, domain.unix_user, 'maildir'
> FROM popbox, domain WHERE popbox.local_part = '$(local_part)' AND
> popbox.domain_name = '$(domain)' AND popbox.domain_name = domain.domain_name
e.g.
AND popbox.password_hash <> '{crypt}'
or whatever.
--
``This is why I don't trust anyone [whose] job was created after 1990.''
(describing `web design'; seen on the internet)