This script is Copyright (C) 2005-2011 Tenable Network Security, Inc.
The remote host has an application that is affected by an
authentication bypass vulnerability.
There is a flaw in the remote UW-IMAP server which allows an
authenticated user to log into the server as any user. The
flaw is in the CRAM-MD5 authentication theme.
An attacker, exploiting this flaw, would only need to identify
a vulnerable UW-IMAP server which had enabled the CRAM-MD5
authentication scheme. The attacker would then be able to log
in as any valid user.
It is important to note that the IMAP daemon will automatically
enable CRAM-MD5 if the /etc/cram-md5.pwd file exists.
Upgrade to the most recent version of UW-IMAP.
In addition, the fact that CRAM-MD5 is enabled indicates that
the server is storing the IMAP passwords in plaintext.
Ensure that the /etc/cram-md5.pwd file is mode 0400.
Risk factor :
High / CVSS Base Score : 9.3
CVSS Temporal Score : 6.9
Public Exploit Available : false