Full Disclosure mailing list archives

RE: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords

From: David Endler <dendler () idefense com>
Date: Thu, 30 Jan 2003 11:00:24 -0500 (EST)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Indeed, it is vulnerable in the same way as PuTTy.  I've contacted the
author, Martin Prikryl, who can hopefully turn around an update quickly.

- -dave

-----Original Message-----
From: Michael Renzmann [mailto:security () dylanic de]
Sent: Wednesday, January 29, 2003 1:25 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 
01.28.03: SSH2
Clients Insecurely Store Passwords


Hi.

iDEFENSE Labs wrote:
[...]

PuTTY is a free implementation of Telnet and SSH for Win32

platforms,

along with an xterm terminal emulator. More information is

available at

http://www.chiark.greenend.org.uk/~sgtatham/putty/.

[...]

AFAIK WinSCP2 is a program that relies on the codebase of PuTTY. Has 
anyone information if WinSCP2 is also "vulnerable" to this?


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

iQA/AwUBPjlK8ErdNYRLCswqEQJZtQCgiZBZGExJRcHRTa766nuIREIKukEAoPZ0
7PSqPP5P+rnTl4Lh2/tcbuGO
=UAQe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords iDEFENSE Labs (Jan 29)
- Re: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Michael Renzmann (Jan 29)
- <Possible follow-ups>
- Re: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords auto68182 (Jan 30)
- RE: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords David Endler (Jan 30)