Brendan Cully <[EMAIL PROTECTED]> writes: >> May I again offer to use my code here which I deem a *COMPLETE* >> RFC822-validation: >> <http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c> > > I'm afraid that doing heavy validation may introduce interoperability > problems with some buggy POP servers. Since odd timestamps are > generally harmless in this context, I'd rather do the minimum needed > to suppress this vulnerability than enforce strict compliance with the > RFC.
I have yet to see a server that sends a broken APOP challenge (timestamp). Those I checked were all very conservative. And making users complain to their ISPs about broken servers is also a good thing. APOP is "for lack of a stronger authenticator" anyways, and since my upstreams all have at least proper SSL certificates that I can validate to fend off MITM attacks, I couldn't care less about interoperability. The code as shown works on the servers I have access to - that's about as much as matters to me. I'm well aware that this isn't representative, yet I think that the more you accept, the more susceptible you are to Leurent's CVE-2007-1558 attack - and that's avoidable. -- Matthias Andree
