POP3Lite Input Validation Vulnerability

POP3Lite is a free, open-source compact POP3 daemon for Linux and BSD systems.

POP3Lite has an input validation problem which may be exploited by remote attackers. POP3Lite will not escape leading dots('.') from e-mail it transfers. At the very least this may cause unusual behavior to occur, but may be manipulated to malicious effect. This may allow an attacker to pass arbitrary server responses to the mail client of a user retrieving mail from a POP3Lite server.

Remote attackers may exploit this issue to inject messages or cause messages to be lost. A potential for mail-spoofing attacks also exists as message headers can be falsified. A denial of services may also result, depending on how the client interprets the malicious input.


Privacy Statement
Copyright 2010, SecurityFocus