--Sam Varshavchik wrote on 12.02.2002 20:03 -0500: >> http://courier.serv.ch/patches/pop3-apop/pop3-apop-0.37.2.patch > > The authcheckpassword hack is ugly.
Yes, abusing the existing code from plain-login :) The authtype is not available in the checkpassword-functions for plaintext-logins, only in those for cram. > Not to mention that if the cleartext > password begins with <, and is less than 12 bytes long, you'll run off the > end of the password string buffer. Similar code in other modules is > similarly vulnerable. The string will now be prepended with "APOP " in pop3login. Its easier to process and this bug should be gone. btw: any chance to decrypt the hmac-md5pw listed in userdb back to plaintext ? Roland _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
