@duesee found it was possible for an active MITM to inject a plaintext collaborator ID and use that to steal collaborator SMTP interactions We patched this in the following release: https://portswigger.net/burp/releases/professional-community-2020-9-2 This issue is closely related to CVE-2011-0411, and due to our non-standard SMTP implementation, some vulnerability scanners incorrectly flag the patched server as being vulnerable.

Actions:

View on HackerOne

Reported by duesee

Vulnerability Details

Technical details and impact analysis

Cryptographic Issues - Generic

See http://www.postfix.org/CVE-2011-0411.html for adetailled description. ## Impact MitM could obtain user credentials.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2011-0411 UNKNOWN

The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Cryptographic Issues - Generic