![]() In your case, the scanning software lists vulnerabilities for many different servers which makes me believe it has no idea what software you're running. So it listed all security vulnerabilities which were known in that other software. The last time a user reported a similar issue, it was because some scanning software had run some tests and identified hMailServer as another server. Based on this alone I'm assuming that this is just a generic warning message. CVE-2001-0776 is for some software named DynFX MailServer. CVE-1999-0822 for example was issued for the software qpop. Also, some of the referenced CVS are older than hMailServer. So no wonder you can't find it on your Windows system. The /etc/nf is a file typically only available on Linux/Unix systems. (Having siad that, there are mechanisms in hMailServer to protect against too long POP3 commands, to prevent buffer overflows from occurring.) I've seen this before when scanning software has been unable to detect what software is running the POP3 server, and then just assumed that the server *may* be vulnerable - since it doesn't know - which I guess isn't technically incorrect. There's bugs in all software and hMailServer is no exception.īut the warning sounds like a 'generic' warning message telling you that the server *may* be vulnerable. ![]() There is no such file called "inetd" on my server. Solution: If you do not use POP3, disable this service in /etc/nf and restart the inetd process. ![]() The remote POP3 server might be vulnerable to a buffer overflow bug when it is issued at least one of these commands, with a too long argument : auth user pass If confirmed, this problem might allow an attacker to execute arbitrary code on the remote system, thus giving him an interactive session on this host. Could you tell me if the pop3 listener is affected by this? Here is what security metrics said: Unfortunately, this possible vulnerability caused me to fail the PCI compliance test. The description their scan provided was brief and not very helpful. The scan identified a possible vulnerablitiy in the pop3 protocal used by hmailserver. I had to have my e-commerce web site scanned by Security Metrics to comply with the PCI standards so my credit card merchant is happy and doesn't fine me.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |