Full Disclosure mailing list archives
Re: Forticlient VPN client credential interception vulnerability
From: Thierry Zoller <thierry () zoller lu>
Date: Wed, 01 May 2013 12:36:17 +0200
You got to be kidding me...
FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY
When the FortiClient VPN client is tricked into connecting to a proxy server rather than to the original firewall (e.g. through ARP or DNS spoofing,) it detects the wrong SSL certificate but it only warns the user _AFTER_ it has already sent the password to the proxy.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Forticlient VPN client credential interception vulnerability Philippe oechslin (May 01)
- Re: Forticlient VPN client credential interception vulnerability Thierry Zoller (May 01)
- Re: Forticlient VPN client credential interception vulnerability Patrick Webster (May 02)
- Re: Forticlient VPN client credential interception vulnerability Thierry Zoller (May 01)