On Thu, 7 Aug 1997 dynamo@IME.NET wrote:
> Some versions of popper and qpopper from qualcomm allow you to read
> other peoples email. There are quite a few situations in which you
> need your mail spool directory chmodded 1777. If you have local users
> on a machine with the mail spool directory, they can create symbolic
> links from the temporary pop drop box to a file that they can read.
>
> See if youre vulnerable:
<Details of exploit deleted>
> Apparently it is fixed in the newest version.
Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:
/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting. <2104.871076037@(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'
Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.
- --Ian.
- ---
Ian R. Justman (ianj@calweb.com)
Finger ianj@calweb.com for my public PGP key.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQEVAwUBM+uTLkyc+bfQRhUBAQF3Cwf/WxHBunYU0OCyyMVSClUVq9lV8bDkijqk
EfvcQF1wbEAcm+f4d7FnF55Q6QZlyXYejRYwy0ocro+erE9DHWfqj7lQJ9OTReKq
1I+vPXbx6y15bfAo7pwwW/G8XZFXiLs3cRXw9K0znMoFvRbJezrgCMrC/3O41glP
SvBU3OhDNtuV1RMcRR8gsBnkWtqKQG53WVvNhf/wSvVxhChL4MQADlFTkosS43il
jmJ7rPYxV/jxDV/jMS40iFM7yjtIQv7RrwmQDpVI5PHjxHHaZiJkDUqZUTWwidBG
3KyW+DYPNRDkqnmPwpJKBytOh3UhMpXc0a/euBPO7VhzVB53cSI01A==
=p1SE
-----END PGP SIGNATURE-----