|
List Info Thread: Re: Vulnerability in dbmail-pop3d version 1.2.11?
[1-3]
|
||||||||||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||||||||||
Re: Vulnerability in dbmail-pop3d version 1.2.11? |
|
List Info Thread: Re: Vulnerability in dbmail-pop3d version 1.2.11?
[1-3]
|
||||||||||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||||||||||
dbmail.org
Seriously though: 1.2 suffers from the sql-injection bug.
The code
doesn't check i.e. whether the 'create' command for imap
(which creates
mailboxes) doesn't contain malicious code. It is possible
for attackers
to execute any kind of sql command:
something along the lines of:
C : A01 login testuser1 test
S : A01 * OK
C : A02 CREATE 'testbox'
S : A02 * OK
C : A03 CREATE 'testbox2"; DELETE FROM MESSAGEBLKS;'
S : A03 * OK
etc. You get the picture I'm sure.
2.0 and 2.1 do NOT suffer from this problem. And that's just
the most
critical problem with 1.2 that comes to mind.
So yes! All you 1.2 users (you too, Jesse) better start
thinking about
upgrading.
Leonel Nunez wrote:
> Paul J Stevens wrote:
>
>> Becki,
>>
>> The CVE you refer to is *not* about dbmail. It's
about Xmail, a different
>> product all together.
>>
>> That said: don't use 1.2.11 on a new system. Use
2.0.6 instead. 1.2.x
>> is old,
>> and not maintained any more.
>>
>>
>>
>>
>
>
>
> Is there any known bug on 1.2.11 ?
>
>
>
> Leonel
>
>
>
> _______________________________________________
> Dbmail mailing list
> Dbmail