> The problem is that an application that accepts a username/password and
> attempts to validate using $HASH_PASSWORD and $GETUAI *must* also make
> explicit calls to $SCAN_INTRUSION, otherwise it provides a back door
> around the intrusion detection mechanism.  I have seen this on many
> applications, including POP servers and web scripts to change your
> password.  With the benefit of hindsight, it might have been a better
> idea to provide a $VERIFY_PASSWORD service which combines the three
> functions above, because it is so easy for a developer to overlook it.

> Another place to check is if the UCX SMTP server supports SASL (this is
> the "my-server-requires-authentication" checkbox in the POP client).
> SASL allows the client to pass a username/password in the ESMTP dialog
> so that you can allow authenticated clients to relay through your server
> irrespective of what IP address they are coming from .  Even PMDF
> overlooked putting this through $SCAN_INTRUSION when it first came out
> (it was fixed pretty quickly).  Only slightly more difficult to script
> an attack on this one.

> To check if your SMTP server supports SASL, telnet to port 25 and issue
> an EHLO command.  Look for the AUTH extension.  It is harder to test
> using telnet because the username/password pair need to be BASE64 encoded.

> ---------------------------------------------------------
> Tom Wade                 | EMail: tee dot wade at eurokom dot ie
> EuroKom                  | Tel:   +353 (1) 296-9696
> A2, Nutgrove Office Park | Fax:   +353 (1) 296-9697
> Rathfarnham              | Disclaimer:  This is not a disclaimer
> Dublin 14                | Tip:   "Friends don't let friends do Unix !"
> Ireland