发布时间 :2001-08-31 00:00:00
修订时间 :2016-10-17 22:09:09

[原文]qpopper POP server creates lock files with predictable names, which allows local users to cause a denial of service for other users (lack of mail access) by creating lock files for other mail boxes.


        qpopper POP服务器会创建带有可预测名称的锁定文件,本地用户可以通过创建其他邮箱的锁定文件导致这些用户的服务拒绝(无法访问邮件)。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000420 pop3d/imap DOS (while we're on the subject)
(UNKNOWN)  BUGTRAQ  20000420 pop3
(UNKNOWN)  BID  1132

- 漏洞信息

低危 访问验证错误
2001-08-31 00:00:00 2005-10-20 00:00:00
        qpopper POP服务器会创建带有可预测名称的锁定文件,本地用户可以通过创建其他邮箱的锁定文件导致这些用户的服务拒绝(无法访问邮件)。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 漏洞信息 (19869)

Qualcomm qpopper 2.53/3.0,RedHat imap 4.5 -4,UoW imap 4.5 popd Lock File DoS (EDBID:19869)
linux dos
2000-04-19 Verified
0 Alex Mottram
N/A [点击下载]

Vulnerabilities exist in a number of pop3 daemon implementations, having to do with their creation of lock files. Affected include Qualcomm's qpopper, and the popd included as part of the imap-4 rpm from RedHat. Lockfiles in both implementation are created with consistent local file names; the RedHat popd in /tmp, with a fairly random name (albeit consistent for a given user), and in the mail spool directory, with the user name prepended by a "." and appended with ".pop". Creation of either of these files will prevent the popd user from being able to establish a connection to retrieve their mail.

The FreeBSD port of imap-uw contains this vulnerability. It is not, however, included as a standard part of a FreeBSD install.

touch /var/mail/.username.pop		

- 漏洞信息

Qpopper Lock File Symlink Local DoS
Local Access Required Denial of Service, Race Condition
Loss of Availability Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-04-20 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete