Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords

From: IRCXpro Support (support_at_ircxpro.com)
Date: 06/03/03

  • Next message: northern snowfall: "[Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords]"
    To: "Darren Reed" <avalon@caligula.anu.edu.au>
    Date: Tue, 3 Jun 2003 16:31:43 +0100
    

    Reply to Feedback from Darren:

    > Firstly, there has been support for storing passwords, encrypted, in
    > configuration files on Unix for over 10 years, if not longer. I can

    The reason why IRC servers "IRCD.config" files don't use encryption (see
    file attachment for example) is because 49 times out of 50 they do not come
    with a GUI program. Administrators main method of changing the
    configuration is to manually edit the file using a notepad utility.

    > at leisure. Windows, Linux, it does not matter, there are security
    > threats to all environments that when exploited given outsiders some
    > sort of "local access".

    Then in this case this would be an operating system vulnerability.

    Overuse in the use of encrypted passwords can be counter productive to
    functionality.
    There are good reasons to keep passwords clear text passwords to better
    interface with other software.
    For example Merak Mail server software
    (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
    When using this mail server, it can store the accounts on an SQL Server.
    The passwords are stored clear text. This enables other software to
    interface with its data to create and sync its accounts/passwords with other
    systems.

    However we will give the issue raised due attention in our next version
    release and appreciate everybody's efforts & feedback to further improving
    our product.

    Regards,
    IRCXpro Support

    ----- Original Message -----
    From: "Darren Reed" <avalon@caligula.anu.edu.au>
    To: "IRCXpro Support" <support@ircxpro.com>
    Cc: "morning_wood" <se_cur_ity@hotmail.com>; <bugtraq@securityfocus.com>;
    <full-disclosure@lists.netsys.com>
    Sent: Tuesday, June 03, 2003 3:10 PM
    Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default
    remote admin passwords

    > In some mail from IRCXpro Support, sie said:
    > >
    > > Vulnerability(s):
    > > 1. Local clear passwords
    > >
    > > Our Reply: It is common place for all IRC Server applications to store
    clear
    > > passwords in the IRCD.config files. The nature of the program is for it
    to
    > > be used by Remote Users, NOT local ones.
    >
    > There are a couple of extremely bad comments in these two sentences,
    > let us dwell on it for a moment or two.
    >
    > Firstly, there has been support for storing passwords, encrypted, in
    > configuration files on Unix for over 10 years, if not longer. I can
    > go pull out some source code of that vintage with support for using
    > crypt() to validate passwords if you're in doubt.
    >
    > Now, be that as it may, you've made a somewhat fatal assumption in
    > your justification - that the remote users will never have any other
    > access to the server that would let them browse the configuration
    > at leisure. Windows, Linux, it does not matter, there are security
    > threats to all environments that when exploited given outsiders some
    > sort of "local access".
    >
    > I find it somewhat disturbing to see development of inferior security
    > standards in products based on the supposition that nobody practises
    > good security with the various IRC server passwords.
    >
    > Darren
    >

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: northern snowfall: "[Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords]"

    Relevant Pages

    • Re: How is dangerous connect to server over internet with remote d
      ... What would be added value for security if you set up VPN first? ... If you have smart cards or one-time passwords you can use them directly ... against Terminal Server. ... On the server set the encryption to high ...
      (microsoft.public.security)
    • Re: request for comments : slush
      ... You then connect back out via SSH client, ... web client or mail client on that server? ... has your passwords, and uses the same password you used for one to break ... that full session encryption is an unacceptable load, ...
      (comp.security.ssh)
    • Re: SSH-style public key authentication for web app login
      ... User obtains or generates a SSL certificate. ... implementations of RSA encryption written in javascript and PHP - so ... My first thought was for the server to generate a keypair when a user ... passwords. ...
      (comp.lang.php)
    • Re: SSH-style public key authentication for web app login
      ... Yes - client certificates will do the job. ... implementations of RSA encryption written in javascript and PHP - so ... My first thought was for the server to generate a keypair when a user ... passwords. ...
      (comp.lang.php)
    • RE: VmWare and Pen-test Learning
      ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
      (Pen-Test)