[Tickets #7182] Re: IMAP login broken/double connecon with maybe debug kinda stuff
bugs at horde.org
bugs at horde.org
Mon Aug 11 04:18:19 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7182
------------------------------------------------------------------------------
Ticket | 7182
Updated By | VJTD3 at VJTD3.com
Summary | IMAP login broken/double connecon with maybe debug
| kinda stuff
Queue | IMP
Version | 4.2
Type | Bug
State | Feedback
Priority | 1. Low
Milestone |
Patch | 1
Owners |
------------------------------------------------------------------------------
VJTD3 at VJTD3.com (2008-08-11 00:18) wrote:
no proxy, horde is running on the same box as the mail daemon. after
me edit things work. the password is never sent, if as you said it's
expecting a pass on the next line then there would be a error on the
next line about a invalid command with the password exposed.
so:
$read = $this->_runCommand("LOGIN \"$username\" {" . strlen($password) . "}");
if (!is_a($read, 'PEAR_Error') && ($read->type ==
IMP_IMAPCLIENT_CONTINUATION)) {
$read = $this->_runCommand($password);
}
should result in:
LOGIN "username at password" {8}
password
with a clean login.
and my edit of:
$read = $this->_runCommand("LOGIN $username " . $password);
if (!is_a($read, 'PEAR_Error') && ($read->type ==
IMP_IMAPCLIENT_CONTINUATION)) {
$read = $this->_runCommand($password);
}
should result in:
LOGIN username at password password
password
which would throw an error because of "password" clearly password isn't sent.
time to do it by hand... telnet...
* OK IMAP Module of ArGoSoft Mail Server Pro for WinNT/2000/XP,
Version 1.8 (1.8
.9.5)
A001 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ArgosoftExt
A001 OK CAPABILITY completed
A002 LOGIN "username at password" {8}
A002 NO LOGIN failed
password
password BAD Unknown command
A003 LOGIN "username at password" {8}password
A003 NO LOGIN failed
A004 LOGIN "username at password" {8} password
A004 NO LOGIN failed
A005 LOGOUT
* BYE Aba he
A005 OK LOGOUT completed
no chance for a next line to have a password there is no window so if
it's a compliance issue others have the same problem. some kinda
switch is needed to turn that on/off.
those additional tries were to see if a space might work or if ti was
just not looking for the line ending.
telnet to a different (linux) box
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION
STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision,
Inc. See COPYING for distribution information.
A001 CAPABILITY
* CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION
STARTTLS
A001 OK CAPABILITY completed
A002 LOGIN "username at password" {8}
+ OK
password
A002 OK LOGIN Ok.
A003 LOGOUT
* BYE Courier-IMAP server shutting down
A003 OK LOGOUT completed
seems pretty hit and miss for ones that support it.
maybe a switch to force the normal version, literal, or auto. auto
maybe tries a second time using normal if literal fails before the
bailing.
is there a existing function that can be used to clean the variable
from injections where my modification is?
More information about the bugs
mailing list