[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000a01c67046$69ae2580$edb68456@TRINITY>
Date: Fri, 5 May 2006 14:18:29 +0100
From: <c0redump@...ers.org.uk>
To: <bugtraq@...urityfocus.com>
Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
>While this is arguably a misfeature, it's not like anyone reading the
>documentation wouldn't know about it, and you have to explicitly enable
>it. It does not seem too much of a problem to me.
>Joachim
Hi.
Of course it is, but it's hidden away nicely, and who reads documentation
anyway eh? ;o) ..certainly not a system administrator in a hurry to set up
a VPN while being bitched at by his boss. I thought I'd bring it to the
attention of everyone on this list who may be running it, and didn't realise
the implications. If you want to bitch about something, bitch about these
XSS attacks appearing on bugtraq relating to guestbook v1, etc. that about
two people in the world use that doesn't include big organisations. As
opposed to OpenVPN - which is used by many, including some big organisations
I'm guessing. Additionally, they could have put warnings in the actual
code, checks, even disable binding to a specific NIC. However, as someone
mentioned, they don't enable the interface by default - so we'll give them a
blue peter badge for that.
Have a lovely day.
-- c0redump
#hacktech @ undernet
ps. thank you to the PGP girlies who gave me a free beer at infosec 2006 -
much love ;o)
Powered by blists - more mailing lists