>You're not telling us which radius server. Livingston 1.16 or 2.01? >Merit? Cistron? etc (As a matter of fact I am sure Cistron is safe). Since this is the 22nd email I've recieved on this, I decided to CC: to bugtraq so everyone will PLEASE stop asking me this. So far, tested servers are: Livingston 1.16 to 2.01 RadiusNT v2.x Merit So far, the only one NOT vulnerable is Merit. Cistron is untested, so I've got not idea whether or not it is. Best way to test is to telnet to a terminal server, and login with a valid username, with 40 or more spaces after it. As to Cistron being safe; safe is really relative here. If somebody nasty has your dialup numbers, then you might have to restart radius a lot. Otherwise, there's really no security risk that I've found. -prj -Ed Kuchar (InterNIC Handle: EK113) [ekucharat_private] NetLink Services, Inc. 216.468.5100(Cleveland) - 330.940.2700(Akron) salesat_private - http://www.nls.net - http://www.getinfo.net Serving: Cleveland, Akron, Medina, & Geauga County
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:58 PDT