imspd 1.6a3 security issues

From: Alan Thew (no email)
Date: Tue Nov 06 2001 - 16:21:23 EST

• Next message: Lawrence Greenfield: "Re: imspd v1.6.a3 -vs- DIGEST-MD5 or PLAIN"
• Previous message: Michael Fair: "Re: Aliases and virtual domain hosting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's quite possible/likely that these are not issues for most sites but I
wanted to raise them to see what, if anything, others do/have done.

1) unlike login on most *nix systems imspd will let an attacker know if
a guessed username exists or not.
2) unlike login on most *nix systems I have used, imspd allows an attacker
to try an fresh password immediately.

OK, so plaintext is bad etc but I don't see why the above is a good
idea...

Thanks

-- 
Alan Thew
FAX: +44 151 794 4442

• Next message: Lawrence Greenfield: "Re: imspd v1.6.a3 -vs- DIGEST-MD5 or PLAIN"
• Previous message: Michael Fair: "Re: Aliases and virtual domain hosting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]