Home page logo

bugtraq logo Bugtraq mailing list archives

Re: serious Qpopper 3.0 vulnerability
From: jhigham () BIGSKY NET (Josh Higham)
Date: Tue, 30 Nov 1999 10:54:03 -0700

-----Original Message-----
From: Mixter <mixter () NEWYORKOFFICE COM>
Date: Tuesday, November 30, 1999 10:23 AM
Subject: serious Qpopper 3.0 vulnerability

PS: The installation file suggests to run qpopper without tcpd, e.g.:
pop3 stream tcp nowait root /usr/local/lib/qpopper qpopper -s
I would NOT suggest doing it that way. Use:
pop3 stream tcp nowait root /usr/sbin/tcpd qpopper -s
instead. At least for me it works behind a tcp wrapper, and that way,
you can use access control and every connection _attempt_ gets logged.

Does anyone know why qpopper suggests running without wrappers?  Does it
lose some functionality that way, or is it deadwood from a previous
incompatibility between tcpd and qpopper?  It seems pretty significant to
suggest not using wrappers, and I would expect a significant reason for
that, but I don't recall seeing anything about it in the docs.

Josh Higham

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]