w00w00 Security Advisory - http://www.w00w00.org/ Title: vpopmail Platforms: Any Discovered: 7th January, 2000 Local: Yes. Remote: Yes. Author: K2 Vendor Status: Notified. Last Updated: N/A 1. Overview When vpopmail is used to authenticate user information and passed an excessively long command argument, a remote attacker may compromise the privilege level that vpopmail is running (usually root). 2. Impact A remote attacker may attain the privilege level of the authentication module. Sample exploit code can be found at http://www.ktwo.ca/security.html 3. Recommendation Impose the 40 character limitation specified by RFC1939 into the mail that passes password to vpopmail or modify vpopmail itself. A qmail-specific patch is available at http://www.ktwo.ca/c/qmail-popup-patch. -------------------------------------------------------- K2 www.ktwo.ca / ktwo@ktwo.ca