fabians Posted March 27, 2012 Share Posted March 27, 2012 Hey guys! I got an interesting security bug... If I login to the courier via pop3 or IMAP, I can use not only my password, but also similar ones to login. Example: If my password was "password", I can login with the password "password", "password1", "password23445" etc., but not with "123password". Also, if my password was "password12345", I can login with "password", "password1234" and also "password987654321". Courier seems to not care about passwords that have numbers in the end. Is that supposed to be that way? Postfix SMTP-Auth works great, it only accepts the actual password... Link to comment Share on other sites More sharing options...
Linux-Admin Posted March 29, 2012 Share Posted March 29, 2012 Hi fabians, looks like your password is trunkated to a lenght of 8 charakters like MD5 does. Thats it. Best regards Linux-Admin Link to comment Share on other sites More sharing options...
Question
fabians
Hey guys!
I got an interesting security bug...
If I login to the courier via pop3 or IMAP, I can use not only my password, but also similar ones to login.
Example: If my password was "password", I can login with the password "password", "password1", "password23445" etc., but not with "123password".
Also, if my password was "password12345", I can login with "password", "password1234" and also "password987654321".
Courier seems to not care about passwords that have numbers in the end.
Is that supposed to be that way?
Postfix SMTP-Auth works great, it only accepts the actual password...
Link to comment
Share on other sites
1 answer to this question
Recommended Posts
Archived
This topic is now archived and is closed to further replies.