search for: server_login

...ne code to execute. Both the POP and IMAP servers Mr. Crispin distributes discard supervisory privileges sometime after this authentication phase. Unfortunately, the overflow occurs before this happens, and the vulnerability will thus allow an attacker superuser access. The problematic routine is server_login(), which is in "log_xxx.c" in the OS-dependent code tree of the server source distribution. The problem occurs due to the routine''s attempt to allow a case insensitive match on the username, which it does by copying the username provided to the routine into an automatic variable...