Dovecot passdbs Argument Injection Authentication Bypass
Medium Nessus Plugin ID 31466
SynopsisThe remote mail server is affected by an authentication bypass vulnerability.
DescriptionThe remote host is running Dovecot, an open source IMAP4 / POP3 server for Linux / Unix.
The version of Dovecot installed on the remote host uses a TAB character as a delimiter internally but fails to escape them when they appear in a password. Provided Dovecot is configured to use a blocking passdb, an attacker can leverage this issue to bypass authentication and gain access to a user's mailbox.
SolutionUpgrade to Dovecot v1.0.13 / v1.1.rc3 or later.