POP2/POP3 server predictable lock file names denial of service
| pop-predictable-lockfile (4335) |  Medium Risk |
Description:
Various POP2/POP3 servers, such as the imap-uw package developed by the University of Washington and qpopper, create lock files with predictable names. The algorithm used to lock mailbox files could allow an unauthorized local user to lock mailboxes of other users.
Consequences:
Denial of Service
Remedy:
No remedy available as of July 9, 2011.
References:
- BugTraq Mailing List, Thu Apr 20 2000 - 11:23:28 CDT: pop3.
- BugTraq Mailing List, Wed Apr 19 2000 - 19:54:04 CDT: pop3d/imap DOS (while we're on the subject).
- FreeBSD Security Advisory FreeBSD-SA-00:15: imap-uw allows local users to deny service to any mailbox.
- BID-1132: Multiple Vendor popd Lock File Denial of Service Vulnerability
- CVE-2000-1197: POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and other operating systems creates lock files with predictable names, which allows local users to cause a denial of service (lack of mail access) for other users by creating lock files for other mail boxes.
- CVE-2000-1198: qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.
Platforms Affected:
- FreeBSD FreeBSD 4.0
- Qualcomm Qpopper 2.53
- Qualcomm Qpopper 3.0
- RedHat Linux 6.1
- RedHat Linux 6.2
- University of Washington IMAP 4.5
Reported:
Apr 24, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net