[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200408201143.AA336986146@selekta.com>
From: andy at selekta.com (andy )
Subject: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption
<http://www.croftssoftware.com/files/index.php?id=13>
About halfway down the page, there's a utility that'll decode them in nanoseconds, called oddly enough, Decode Imail User Passwords.
andy
>On Mon, 16 Aug 2004, Adik wrote:
>
>> IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
>> encrypt its user passwords. Have a look at attached proof of concept tool,
>> which will decrypt user password from local machine instantly.
>
>Heck, this isn't even news. It was posted to Bugtraq a while back. Like
>1999. This URL details Imail's password scheme for Imail 5.0:
>
>http://seclists.org/bugtraq/1999/Dec/0255.html
>
>About a year ago, I found that article, and used it to "decrypt" a few
>lost email passwords on my Imail 7.15 installation.
>
>Given the fact that Imail tries to do just about everything (it does POP3,
>SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries),
>this sort of thing is probably bound to stay around for a while.
>
>One of the neat things about Imail (other than that it does practically
>everything) is that it's backwards-compatible. If my Imail 8.1x
>installation does something weird, I can roll it back to Imail 7.x with
>maybe fifteen minutes' work. This level of backwards compatibility does
>lead to weird problems and security issues (q.v. every version of DOS and
>Windows for about fifteen years).
>
>...dave
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
______________ ______________ ______________ ______________
selekta.com
Powered by blists - more mailing lists