w00w00 Security Advisory - http://www.w00w00.org/
Title:          vpopmail
Platforms:      Any
Discovered:     7th January, 2000
Local:          Yes.
Remote:         Yes.
Author:         K2 <ktwo@ktwo.ca>
Vendor Status:  Notified.
Last Updated:   N/A

1. Overview

When vpopmail is used to authenticate user information and passed an
excessively long command argument, a remote attacker may compromise the
privilege level that vpopmail is running (usually root).

2. Impact

A remote attacker may attain the privilege level of the authentication
module.
Sample exploit code can be found at http://www.ktwo.ca/security.html

3. Recommendation

Impose the 40 character limitation specified by RFC1939 into the mail
that passes password to vpopmail or modify vpopmail itself.
A qmail-specific patch is available at
http://www.ktwo.ca/c/qmail-popup-patch.

--------------------------------------------------------
K2
www.ktwo.ca / ktwo@ktwo.ca