Opened 12 years ago

Last modified 9 years ago

#455 new defect

PEAR::Net_POP3 and PHP 5.2.1 force the use of APOP

Reported by: alexandre.ghisoli@… Owned by: rjl
Priority: normal Milestone: post-1.0.3 triage
Component: General Version: 1.0.2
Severity: major Keywords:
Cc:

Description

After an upgrade to PHP 5.2.1, we cannot login into maia, getting wrong

password all the times. I'm using 1.0.3 with POP3 auth.

Thanks to wireshark capture, I was able to track down this issue, caused by APOP auth method, but my server doesnt support it. Here is the simplified transcript :

1 : maia (PEAR::Net_POP3) ask for CAPA
2 : server return USER and few other , but not APOP
3 : maia send APOP username MD5SUM
4 : maia send USER username
5 : POP3 server drops the connexion with ERR- Invalid password

This mean that PEAR::Net_POP3 always send APOP then USER, and hope that one of the two will works. Unfortunatly, my server return wrong password after 3) but wait few seconds before returning ERR- password to avoid brute force attacks.

Probably a PEAR::Net_POP3 bug, but that will impact Maia as well, and only since PHP 5.2 migration.

To bypass this issue, I've been forced to edit my auth.php and force the USER mode :

        $result = $mbox->login($user, $pass, 'USER');

Change History (4)

comment:1 Changed 12 years ago by anonymous

Basically you are telling us that an external module is changing

behaviour. I am not sure whether we (maia mailguard community) should fix this or the net_pop3 pear maintainers. Personally I dont have issues with a similiar setup using similiar credentials..

comment:2 Changed 12 years ago by anonymous

Probably maia can't fix it at all, since this issue reside outside of maia

code.
But maia can inform their users with this issue. Probably it's depending how POP3 server react to unsupported checks. I'm just facing to this bug, found the exact source and a way to workaround it. Sharing with other people is a way to get it fixed.

Also, it was perfectly working with PHP 5.1.6 but not anymore with 5.2.1 ..

Don't get me wrong, I'm not asking for a fix from maia project, it's an issue that could append when people will migrate to php 5.2, and this can be soon because the Month of PHP bugs (http://www.php-security.org/)

comment:3 Changed 12 years ago by dmorton

  • Milestone set to 1.0.3

If we can get it narrowed down to particular versions, we can add a

configtest warning.

comment:4 Changed 9 years ago by mortonda@…

  • Milestone changed from 1.0.3 to post-1.0.3 triage
Note: See TracTickets for help on using tickets.