Red Hat PAM qpopper User Enumeration Vulnerability

Qpopper is a widely used POP daemon for Unix systems.

When qpopper is used in conjunction with PAM on Red Hat systems, remote attackers can enumerate valid account usernames. This is due to different error messages being output when authentication attempts are made using valid and invalid usernames.

This information may make a brute force attack significantly more feasible.

Note: This vulnerability only affects qpopper when it is used with PAM. Red Hat systems are reported to be vulnerable.


 

Privacy Statement
Copyright 2010, SecurityFocus