FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dovecot -- Specific LDAP + auth cache configuration may mix up user logins

Affected packages
dovecot < 1.0.10

Details

VuXML ID cf484358-b5d6-11dc-8de0-001c2514716c
Discovery 2007-12-21
Entry 2007-12-29

Dovecot reports:

If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails.

[source]

References

URL http://www.dovecot.org/list/dovecot-news/2007-December/000057.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.