Home page logo

bugtraq logo Bugtraq mailing list archives

Re: UW c-client library vulnerability
From: Josh Higham <jhigham () BIGSKY NET>
Date: Fri, 1 Sep 2000 16:49:26 -0600

-----Original Message-----
From: Juhapekka Tolvanen <juhtolv () ST JYU FI>
Date: Friday, September 01, 2000 3:56 PM
Subject: UW c-client library vulnerability

It seems, that c-client libraries by University of Washington have
some bug(s), that makes some programs that depend upon those libraries
go crazy. AFAIK affected programs include at least Pine (read "pain"),
ipop3d and IMAPD. And those programs and libraries are commonly used in
Unixes. I don't know, if any patch, fix, work-around etc. exist.

Looks like all boxes get an extra message inserted. It looks something
like this:

| From MAILER-DAEMON  Wed Aug 30 09:54:25 2000
| Delivery-Date: Thu May 11 21:51:47 2000
| Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST)
| From: Mail System Internal Data <MAILER-DAEMON () host com>

I don't know if it's the IMAP daemon or the pine client who is responsible
for this.

The header may be causing some problems with PINE and/or IMAP that cause it
to misparse the mailbox, but the 'INTERNAL DATA' message is created by the
UW IMAP/POP3 daemon when you first connect.  The first time it happened I
couldn't figure out the problem, because I only used POP once or twice,
normally using pine.  Later I was responsible for a multiuser system, and
every POP mailbox had that message.  AFAIK it is coincidental that these
people first saw it in pine after receiving your message.  Perhaps they
usually just POP, but after receiving that file used pine to investigate

As a note if you change POP daemons from UW to something else, remember to
delete that first message from the mailboxes, or your users will send you a
message or two (hundred) :-).

Josh Higham

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]