Re: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

["andy " <andy () selekta com>]

<http://www.croftssoftware.com/files/index.php?id=13>

About halfway down the page, there's a utility that'll decode them in nanoseconds, called oddly enough, Decode Imail 
User Passwords.

andy

> On Mon, 16 Aug 2004, Adik wrote:
>
> > IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
> > encrypt its user passwords. Have a look at attached proof of concept tool,
> > which will decrypt user password from local machine instantly.
>
> Heck, this isn't even news. It was posted to Bugtraq a while back. Like 
> 1999. This URL details Imail's password scheme for Imail 5.0:
>
> http://seclists.org/bugtraq/1999/Dec/0255.html
>
> About a year ago, I found that article, and used it to "decrypt" a few 
> lost email passwords on my Imail 7.15 installation.
>
> Given the fact that Imail tries to do just about everything (it does POP3, 
> SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), 
> this sort of thing is probably bound to stay around for a while.
>
> One of the neat things about Imail (other than that it does practically 
> everything) is that it's backwards-compatible. If my Imail 8.1x 
> installation does something weird, I can roll it back to Imail 7.x with 
> maybe fifteen minutes' work. This level of backwards compatibility does 
> lead to weird problems and security issues (q.v. every version of DOS and 
> Windows for about fifteen years).
>
> ...dave
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
 

 
______________ ______________ ______________ ______________
selekta.com


 
                   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html