lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000a01c67046$69ae2580$edb68456@TRINITY>
Date: Fri, 5 May 2006 14:18:29 +0100
From: <c0redump@...ers.org.uk>
To: <bugtraq@...urityfocus.com>
Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw


>While this is arguably a misfeature, it's not like anyone reading the
>documentation wouldn't know about it, and you have to explicitly enable
>it. It does not seem too much of a problem to me.

>Joachim

Hi.

Of course it is, but it's hidden away nicely, and who reads documentation 
anyway eh? ;o)  ..certainly not a system administrator in a hurry to set up 
a VPN while being bitched at by his boss.  I thought I'd bring it to the 
attention of everyone on this list who may be running it, and didn't realise 
the implications.  If you want to bitch about something, bitch about these 
XSS attacks appearing on bugtraq relating to guestbook v1, etc. that about 
two people in the world use that doesn't include big organisations.  As 
opposed to OpenVPN - which is used by many, including some big organisations 
I'm guessing.  Additionally, they could have put warnings in the actual 
code, checks, even disable binding to a specific NIC.  However, as someone 
mentioned, they don't enable the interface by default - so we'll give them a 
blue peter badge for that.

Have a lovely day.

-- c0redump
#hacktech @ undernet
ps. thank you to the PGP girlies who gave me a free beer at infosec 2006 - 
much love ;o) 




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ