Menu
▾
▴
Re: [fetchmail-devel] Security vulnerability in APOP authentication
|
From: Matthias A. <mat...@gm...> - 2007-03-18 02:25:01
|
Gaëtan LEURENT schrieb: > The idea of this attack is to create a collision, and replace a part of > the collision with an unknown password character; therefore, if it still > collides the chances are that the password character is the same than > the one in the original collision. > Well OpenSSL does something like 2^31 MD5 per hour, and 85^5 is about > 2^32. So you should be able to bruteforce 5 characters in 2 > hours... Gee. I can then be friendly and use USER/PASS instead to spoil the challenge at least :-) >> That is certainly feasible to implement, I wonder though if that helps >> us out for long. > > Well I don't know. That's up to you to choose if it's worth... Let's just try it. I'm attaching a patch against 6.3.8-rc1 that validates the timestamp according to the RFC-822 ABNF stuff and refuses to authenticate if the timestamp isn't a valid RFC-822 msd-id token. Yes, I hand-hacked a full(!) msg-id parser, and a few more eyeballing is desired - let me know if you have any concerns about the new rfc822valid.c. Thanks. Best regards Matthias Andree |
