Detections
Analytics
CVE-2007-1558
high
Description
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782
https://issues.rpath.com/browse/RPL-1424
https://issues.rpath.com/browse/RPL-1232
https://issues.rpath.com/browse/RPL-1231
http://www.vupen.com/english/advisories/2008/0082
http://www.vupen.com/english/advisories/2007/2788
http://www.vupen.com/english/advisories/2007/1994
http://www.vupen.com/english/advisories/2007/1939
http://www.vupen.com/english/advisories/2007/1480
http://www.vupen.com/english/advisories/2007/1468
http://www.vupen.com/english/advisories/2007/1467
http://www.vupen.com/english/advisories/2007/1466
http://www.us-cert.gov/cas/techalerts/TA07-151A.html
http://www.ubuntu.com/usn/usn-520-1
http://www.ubuntu.com/usn/usn-469-1
http://www.trustix.org/errata/2007/0024/
http://www.trustix.org/errata/2007/0019/
http://www.securitytracker.com/id?1018008
http://www.securityfocus.com/bid/23257
http://www.securityfocus.com/archive/1/471842/100/0/threaded
http://www.securityfocus.com/archive/1/471720/100/0/threaded
http://www.securityfocus.com/archive/1/471455/100/0/threaded
http://www.securityfocus.com/archive/1/470172/100/200/threaded
http://www.securityfocus.com/archive/1/464569/100/0/threaded
http://www.securityfocus.com/archive/1/464477/30/0/threaded
http://www.redhat.com/support/errata/RHSA-2009-1140.html
http://www.redhat.com/support/errata/RHSA-2007-0402.html
http://www.redhat.com/support/errata/RHSA-2007-0401.html
http://www.redhat.com/support/errata/RHSA-2007-0386.html
http://www.redhat.com/support/errata/RHSA-2007-0385.html
http://www.redhat.com/support/errata/RHSA-2007-0353.html
http://www.redhat.com/support/errata/RHSA-2007-0344.html
http://www.openwall.com/lists/oss-security/2009/08/18/1
http://www.openwall.com/lists/oss-security/2009/08/15/1
http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
http://www.novell.com/linux/security/advisories/2007_14_sr.html
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
http://www.debian.org/security/2007/dsa-1305
http://www.debian.org/security/2007/dsa-1300
http://www.claws-mail.org/news.php
http://sylpheed.sraoss.jp/en/news.html
http://sourceforge.net/forum/forum.php?forum_id=683706
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
http://security.gentoo.org/glsa/glsa-200706-06.xml
http://secunia.com/advisories/35699
http://secunia.com/advisories/26415
http://secunia.com/advisories/26083
http://secunia.com/advisories/25894
http://secunia.com/advisories/25858
http://secunia.com/advisories/25798
http://secunia.com/advisories/25750
http://secunia.com/advisories/25664
http://secunia.com/advisories/25559
http://secunia.com/advisories/25546
http://secunia.com/advisories/25534
http://secunia.com/advisories/25529
http://secunia.com/advisories/25496
http://secunia.com/advisories/25476
http://secunia.com/advisories/25402
http://secunia.com/advisories/25353
http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt