Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » POP3Lite Input Validation Vulnerability

POP3Lite Input Validation Vulnerability

by Phiber on September 7th, 2001 POP3Lite has an input validation problem which may be exploited by remote attackers. POP3Lite will not escape leading dots('.') from e-mail it transfers. At the very least this may cause unusual behavior to occur, but may be manipulated to malicious effect. This may allow an attacker to pass arbitrary server responses to the mail client of a user retrieving mail from a POP3Lite server.


Remote attackers may exploit this issue to inject messages or cause messages to be lost. A potential for mail-spoofing attacks also exists as message headers can be falsified. A denial of services may also result, depending on how the client interprets the malicious input.


An attacker need only compose an email with a '.'. Maliciously crafted fake server responses may follow in the body of the email message.


Solution:

POP3Lite POP3Lite 0.2.3b:

  • POP3Lite upgrade POP3Lite

  • Debian upgrade POP3Lite 0.4.2a-1 unstable


    POP3Lite POP3Lite 0.2.3:

  • POP3Lite upgrade POP3Lite

  • Debian upgrade POP3Lite 0.4.2a-1 unstable


    FYI:

    POP3Lite is a free, open-source compact POP3 daemon for Linux and BSD systems.

    - This vulnerability disclosed by Daniel Roethlisberger.([email protected])


  • Newsletter signup

    Signup to our monthly newsletter and stay in touch with IT news!

    Free E-books

    We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

    Contact

    Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

    Contact us »