Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: qmailAdmin, vpopmail, bypassing quotas

May 2009 by Vigil@nce

When the administrator defined quotas over 2Gb, they are not honoured by qmailAdmin and vpopmail.

- Severity: 1/4
- Consequences: denial of service of service
- Provenance: user account
- Means of attack: no proof of concept, no attack
- Ability of attacker: expert (4/4)
- Confidence: unique source (2/5)
- Diffusion of the vulnerable configuration: high (3/3)
- Creation date: 11/05/2009

IMPACTED PRODUCTS

- Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The vpopmail program is used to create virtual mailboxes. The qmailAdmin program is used to manage a qmail or vpopmail messaging system.

The administrator can define a quota in qmailAdmin and vpopmail in order to limit the size of users’ mailboxes.

However, these quotas are stored in a signed 32 bit integer. The maximal value is thus 2^31-1 = 2147483647 = 2Go. If the administrator defined a superior value, it is not honoured. The mailbox size is therefore not limited.

When the administrator defined quotas over 2Gb, they are thus not honoured by qmailAdmin and vpopmail.

CHARACTERISTICS

- Identifiers: VIGILANCE-VUL-8702
- Url: http://vigilance.fr/vulnerability/qmailAdmin-vpopmail-bypassing-quotas-8702




See previous articles

    

See next articles