<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

Bugtraq: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

From: Dave Warren <dave.warren_at_devilsplayground.net>
Date: Tue, 17 Aug 2004 04:37:59 -0600

Adik wrote:

>IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
>encrypt its user passwords. Have a look at attached proof of concept tool, which will decrypt user password from local machine instantly.
>
>
Unfortunately being able to decrypt passwords is absolutely required in
order to support APOP, or SMTP CRAM-MD5 authentication.

With that in mind, this isn't so much a bug, but rather a design flaw
necessitated to support the protocols involved.

-- 
Dave Warren,
 Email/MSN MSG:  dave.warren_at_devilsplayground.net
 Phone: (403) 770-6140     Vonage: (817) 886-0860
 Cell:  (403) 371-3470  Toll free: (888) 371-3470
 ICQ: 17848192                     AIM: devilspgd

Received on Aug 17 2004

This message: [ Message body ]
Next message: Colin Alston: "Re: First vulnerabilities in the SP2 - XP ?..."
Previous message: Abu Lafy: "Cross-Site Scripting (XSS) in Php-Nuke 7.1.0"
In reply to: Adik: "IpSwitch IMail Server <= ver 8.1 User Password Decryption"
Next in thread: Jérôme: "Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]