11 May 2006

Vpopmail Cleartext Password Authentication Bypass Doesn't Affect H-Sphere Mail System

According to the stated security hole the security issue is caused due to an error within the handling of SMTP AUTH and APOP password authentication.This can be exploited to authenticate to the mail server using a blank password. Successful exploitation requires that cleartext password authentication is enabled and that the account does not have a cleartext password set.

Recently found Vpopmail Cleartext Password Authentication Bypass can in no way affect H-Sphere mail subsystem. H-Sphere mail updates regenerate old mailbox passwords with clear password authentication based on the related H-Sphere DB information after the CRAM-MD5 and APOP password authentication was introduced into H-Sphere (starting from hsphere-mail2-all-4).