lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0408190409340.9750@phoenix.technopagan.org>
From: dave at technopagan.org (David E. Smith)
Subject: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

On Mon, 16 Aug 2004, Adik wrote:

> IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
> encrypt its user passwords. Have a look at attached proof of concept tool,
> which will decrypt user password from local machine instantly.

Heck, this isn't even news. It was posted to Bugtraq a while back. Like 
1999. This URL details Imail's password scheme for Imail 5.0:

http://seclists.org/bugtraq/1999/Dec/0255.html

About a year ago, I found that article, and used it to "decrypt" a few 
lost email passwords on my Imail 7.15 installation.

Given the fact that Imail tries to do just about everything (it does POP3, 
SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), 
this sort of thing is probably bound to stay around for a while.

One of the neat things about Imail (other than that it does practically 
everything) is that it's backwards-compatible. If my Imail 8.1x 
installation does something weird, I can roll it back to Imail 7.x with 
maybe fifteen minutes' work. This level of backwards compatibility does 
lead to weird problems and security issues (q.v. every version of DOS and 
Windows for about fifteen years).

...dave


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ