| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 May 2006 14:18:29 +0100 From: <c0redump@...ers.org.uk> To: <bugtraq@...urityfocus.com> Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw >While this is arguably a misfeature, it's not like anyone reading the >documentation wouldn't know about it, and you have to explicitly enable >it. It does not seem too much of a problem to me. >Joachim Hi. Of course it is, but it's hidden away nicely, and who reads documentation anyway eh? ;o) ..certainly not a system administrator in a hurry to set up a VPN while being bitched at by his boss. I thought I'd bring it to the attention of everyone on this list who may be running it, and didn't realise the implications. If you want to bitch about something, bitch about these XSS attacks appearing on bugtraq relating to guestbook v1, etc. that about two people in the world use that doesn't include big organisations. As opposed to OpenVPN - which is used by many, including some big organisations I'm guessing. Additionally, they could have put warnings in the actual code, checks, even disable binding to a specific NIC. However, as someone mentioned, they don't enable the interface by default - so we'll give them a blue peter badge for that. Have a lovely day. -- c0redump #hacktech @ undernet ps. thank you to the PGP girlies who gave me a free beer at infosec 2006 - much love ;o)
Powered by blists - more mailing lists