w00w00 Security Advisory - http://www.w00w00.org
Title:          vpopmail
Platforms:      Any
Discovered:     7th January, 2000
Local:          Yes.
Remote:         Yes.
Author:         K2 (ktwo@ktwo.ca)
Vendor Status:  Notified.
Last Updated:   N/A

1. Overview

When vpopmail is used to authenticate user information and passed an
excessively long command argument, a remote attacker may compromise the
privilege level that vpopmail is running (usually root).

2. Impact

A remote attacker may attain the privilege level of the authentication
module.  Sample exploit code can be found at

3. Recommendation

Impose the 40 character limitation specified by RFC1939 into the mail
agent that passes password to vpopmail or modify vpopmail itself.  A
qmail-specific patch is available at 

Back to Advisories
Back to w00w00 webpage