| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.61.0408190409340.9750@phoenix.technopagan.org> Date: Thu, 19 Aug 2004 04:14:54 +0000 (GMT) From: "David E. Smith" <dave@...hnopagan.org> To: Adik <netninja@...mail.kg> Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com Subject: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption On Mon, 16 Aug 2004, Adik wrote: > IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to > encrypt its user passwords. Have a look at attached proof of concept tool, > which will decrypt user password from local machine instantly. Heck, this isn't even news. It was posted to Bugtraq a while back. Like 1999. This URL details Imail's password scheme for Imail 5.0: http://seclists.org/bugtraq/1999/Dec/0255.html About a year ago, I found that article, and used it to "decrypt" a few lost email passwords on my Imail 7.15 installation. Given the fact that Imail tries to do just about everything (it does POP3, SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), this sort of thing is probably bound to stay around for a while. One of the neat things about Imail (other than that it does practically everything) is that it's backwards-compatible. If my Imail 8.1x installation does something weird, I can roll it back to Imail 7.x with maybe fifteen minutes' work. This level of backwards compatibility does lead to weird problems and security issues (q.v. every version of DOS and Windows for about fifteen years). ...dave _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists