Bug#336979: exim4: Using courier_authdaemon authentication accepts
wrong passwords
Marc Haber
mh+debian-packages at zugschlus.de
Wed Nov 2 07:24:31 UTC 2005
tags #336979 confirmed security
severity #336979 important
thanks
On Wed, Nov 02, 2005 at 01:37:35AM +0100, Peter Thomassen wrote:
> When using plain_courier_authdaemon or login_courier_authdaemon
> authentication, wrong passwords are accepted (but only correct
> usernames).
Ouch!
> According to [1], this is Debian-specific.
> [1]: http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
Ouch!
* Why has this taken more than a quarter of a year to be reported to
the people who are able to fix it?
* I cannot see why this is Debian-specific since we took the
authenticators listed on that web page verbatim.
> [2] gives another server_condition which is claimed to not raise this
> problem, but I cannot verify that because I just don't understand it.
> [2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
This code works, and since the exim wiki is more "official" as some
random web forum, I have modified the Debian package to now use this
example.
> Since this allows unauthorized people to authenticate with Exim, this is
> a security hole (critical).
Since this issue is in an example which is commented out by default,
the Debian security team disagrees. I will fix this issue in Debian
sid and eventually in etch, but the broken example will stay in sarge.
This bug report will remain available for reference though.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-maintainers
mailing list