Thanks for the explanation. That makes sense.
Markus
On Tue, 29 Feb 2000 [EMAIL PROTECTED] wrote:
> On Tue, Feb 29, 2000 at 02:44:08PM +0100, Markus Wuebben wrote:
> > Is this known?
>
> Yes.
>
> Is this true? No.
>
> > A complete description of the problem can be found
> > at http://www.inter7.com/vpopmail/exploit.html
>
> qmail is not at fault here. vpopmail is. qmail-pop3d indeed does not limit
> the username length, but the way I read RFC1939 it is the client which
> is not allowed to send a username over 40 characters. It is up to the server
> to handle these too long usernames. qmail-pop3d conforms to RFC1939 in that
> it allows usernames of up to 40 characters. That it also supports even
> longer usernames is not forbidden.
>
> vpopmail allows input (indirectly from a user) to overflow a buffer. That
> is a programming error, and a bad one too.
>
> Greetz, Peter.
> --
> Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
> |
> | 'C makes it easy to shoot yourself in the foot;
> | C++ makes it harder, but when you do it blows your whole leg off.'
> | Bjarne Stroustrup, Inventor of C++
>
Markus Wuebben
Products & Development
* ID-PRO GmbH
* Tel.: +49 (0) 2932 - 916 - 136
* Fax: +49 (0) 2932 - 916 - 236
* mailto:[EMAIL PROTECTED]
* http://open-for-the-better.com
