Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by brendan): (In [3d1d7f6cf693]) Validate msgid in APOP authentication. Closes #2846 -- Ticket URL: <http://dev.mutt.org/trac/ticket/2846#comment:9>

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by Matthias Andree): {{{ Brendan Cully <[EMAIL PROTECTED]> writes: >> May I again offer to use my code here which I deem a *COMPLETE* >> RFC822-validation: >> <http://mknod.org/svn/fetchmail/branch

Re: #2846: Security vulnerability in APOP authentication

Brendan Cully <[EMAIL PROTECTED]> writes: >> May I again offer to use my code here which I deem a *COMPLETE* >> RFC822-validation: >> > > I'm afraid that doing heavy validation may introduce interoperability > problems with some bu

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by Brendan Cully): {{{ On Saturday, 07 April 2007 at 21:22, Matthias Andree wrote: > Brendan Cully <[EMAIL PROTECTED]> writes: > > > On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: > >> I was lo

Re: #2846: Security vulnerability in APOP authentication

On Saturday, 07 April 2007 at 21:22, Matthias Andree wrote: > Brendan Cully <[EMAIL PROTECTED]> writes: > > > On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: > >> I was looking at some mutt code for this issue and other issues that > >> report broken threading upon invalid message-ids. It

Re: #2846: Security vulnerability in APOP authentication

Brendan Cully <[EMAIL PROTECTED]> writes: > On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: >> I was looking at some mutt code for this issue and other issues that >> report broken threading upon invalid message-ids. It seems that mutt >> happily accepts the following syntax: '<.*>' whi

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Changes (by brendan): * status: new => closed * resolution: => fixed -- Ticket URL: <http://dev.mutt.org/trac/ticket/2846#comment:6>

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by brendan): From the BNR, 0-31 appears to be legal when quoted in the local part. As long as the current MD5 collision generators need characters above 127, I think this is OK. -- Ticket URL: <http://dev.mutt.org/trac/tic

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by Rocco Rutte): {{{ Hi, * Brendan Cully [07-04-02 15:31:14 -0700] wrote: >On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: >> I was looking at some mutt code for this issue and other issues that >>

Re: #2846: Security vulnerability in APOP authentication

Hi, * Brendan Cully [07-04-02 15:31:14 -0700] wrote: On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: I was looking at some mutt code for this issue and other issues that report broken threading upon invalid message-ids. It seems that mutt happily accepts the following syntax: '<.*>'

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Comment (by Brendan Cully): {{{ On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: > I was looking at some mutt code for this issue and other issues that > report broken threading upon invalid message-ids. It seems tha

#2846: Security vulnerability in APOP authentication

On Sunday, 18 March 2007 at 17:36, Rocco Rutte wrote: > I was looking at some mutt code for this issue and other issues that > report broken threading upon invalid message-ids. It seems that mutt > happily accepts the following syntax: '<.*>' which is just plain wrong. > > I looked at rfc822

Re: [Mutt] #2846: Security vulnerability in APOP authentication

#2846: Security vulnerability in APOP authentication Changes (by brendan): * component: mutt => POP -- Ticket URL: <http://dev.mutt.org/trac/ticket/2846#comment:2>

Re: Security vulnerability in APOP authentication

Rocco Rutte <[EMAIL PROTECTED]> writes: > I was looking at some mutt code for this issue and other issues that > report broken threading upon invalid message-ids. It seems that mutt > happily accepts the following syntax: '<.*>' which is just plain > wrong. If that was supposed to be a basic rege

Re: Security vulnerability in APOP authentication

Hi, * Matthias Andree [07-03-18 03:06:21 +0100] wrote: Rocco Rutte <[EMAIL PROTECTED]> writes: APOP IMHO should never be considered a secure way of authentication, it's just more secure than sending plain passwords over the wire. But yes, since the RfC says the "timestamp" must be syntacially

Re: Security vulnerability in APOP authentication

Rocco Rutte <[EMAIL PROTECTED]> writes: > APOP IMHO should never be considered a secure way of authentication, > it's just more secure than sending plain passwords over the wire. But > yes, since the RfC says the "timestamp" must be syntacially valid > message-id and mutt doesn't check it, there's

Re: Security vulnerability in APOP authentication

Gaëtan LEURENT wrote on 14 Mar 2007 15:53:36 +0100: > I found a security vulnerability in the APOP authentication. It is > related to recent collision attacks by Wang and al. against MD5. Does somebody care about this, are you all busy reinventing Unix's $PATH? By the way, what's the next step

Re: Security vulnerability in APOP authentication

$LD_LIBRARY_PATH and $LD_PRELOAD? You know, these are global configuration variable, what's in here should be here for a reason. It offers many creative ways of shooting yourself in the foot, but it also offers many useful way of solving real-life problems. If you're not confident in what's in t

Re: Security vulnerability in APOP authentication

Rocco Rutte wrote on 15 Mar 2007 11:33:49 +0100: > Well, this is a difficult issue. First, using hash algorithms always > leaves us with the risk of collisions if it's only a theoretical one. Sure, but a single collision is not a security threat... the problem arises when you can construct coll

Re: Security vulnerability in APOP authentication

Hi, * Gaëtan LEURENT [07-03-14 15:53:36 +0100] wrote: This attack is really a practical one: it needs about an hour of computation and a few hundred authentications from the client, and can recover three password characters. I tested it against mutt, and it does work. Well, this is a difficu

Security vulnerability in APOP authentication

Hello, I found a security vulnerability in the APOP authentication. It is related to recent collision attacks by Wang and al. against MD5. The basic idea is to craft a pair of message-ids that will collide in the APOP hash if the password begins in a specified way. So the attacker would imperso

mutt/2846: Security vulnerability in APOP authentication

>Number: 2846 >Notify-List: >Category: mutt >Synopsis: Security vulnerability in APOP authentication >Confidential: no >Severity: serious >Priority: high >Responsible:mutt-dev >State: open >Keywords: >Cla