Re: Netscape Messaging server 4.15 poor error strings

[James Mancini <jmancini () NETREO NET>]

I have also confirmed that CommuniGate Pro 3.3.2 exhibits the same behavior,
but additionally, it does not pause on authentication failures for
non-existent accounts. a 1-2 second pause is typical for an existing
account, allowing either a timing or a parsing method of grabbing accounts.
Post.Office 3.1.2 does not appear to suffer from this vulnerability.


--8<--Sample output follows ----
+OK host.company.com POP3 server (Post.Office v3.1.2 release (PO203-101c)
with ZPOP version 1.0) ready Thu, 12 Oct 2000 12:36:06 -0700
user nobody
+OK Password required for nobody
pass nothing
-ERR Password failed for nobody
user realuser
+OK Password required for realuser
pass nothing
-ERR Password failed for realuser


--8<--Sample output follows ----
+OK CommuniGate Pro POP3 Server 3.3.2 ready
user nobody
+OK please send the PASS
pass nothing
-ERR unknown user account
user realuser
+OK please send the PASS
pass nothing
-ERR incorrect password