A vulnerablility in an authentication method for the
University of Washington IMAP server could allow a
remote attacker to access any user's mailbox.
The Internet Message Access Protocol (IMAP) is a method
of accessing electronic messages kept on a remote mail server
and is specified in RFC3501.
The University of Washington IMAP server features multiple user
authentication methods, including the
Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5)
as defined by RFC2195.
A logic error in the code that handles CRAM-MD5 incorrectly specifies
the conditions of successful authentication.
This error results in a vulnerability that could allow a remote attacker
to successfully authenticate as any user on the target system.