[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

<http://www.croftssoftware.com/files/index.php?id=13>

About halfway down the page, there's a utility that'll decode them in 
nanoseconds, called oddly enough, Decode Imail User Passwords.

andy

>On Mon, 16 Aug 2004, Adik wrote:
>
>> IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
>> encrypt its user passwords. Have a look at attached proof of concept tool,
>> which will decrypt user password from local machine instantly.
>
>Heck, this isn't even news. It was posted to Bugtraq a while back. Like 
>1999. This URL details Imail's password scheme for Imail 5.0:
>
>http://seclists.org/bugtraq/1999/Dec/0255.html
>
>About a year ago, I found that article, and used it to "decrypt" a few 
>lost email passwords on my Imail 7.15 installation.
>
>Given the fact that Imail tries to do just about everything (it does POP3, 
>SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), 
>this sort of thing is probably bound to stay around for a while.
>
>One of the neat things about Imail (other than that it does practically 
>everything) is that it's backwards-compatible. If my Imail 8.1x 
>installation does something weird, I can roll it back to Imail 7.x with 
>maybe fifteen minutes' work. This level of backwards compatibility does 
>lead to weird problems and security issues (q.v. every version of DOS and 
>Windows for about fifteen years).
>
>...dave
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
 

 
______________ ______________ ______________ ______________
selekta.com


 
                   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html