---------- Forwarded message ---------- Date: Sun, 01 Aug 1999 21:29:40 -0500 From: Irwan Amir Widjaja <irwanwat_private> To: vuldbat_private Subject: bo2k plugins Hi, I recently (July 31st) discovered that the CAST-256 plugin v2.2 which allows any user to connect to any CAST256 server with any password. After reporting the bug to Daniel (the author), he fixed the plugin within a few hours and found that the problem lied within Maw~'s MD5 module, which he used for his plugin (Dan later found that MAW~'s IDEA plugin has the same flaw). This is obviously a very big security risk for administrators who use bo2k as a legit remote administration tool (as opposed to a 'cracking & hacking' tool). Currently CAST-256 and IDEA are the only strong encryption plugins which are internationally available for bo2k (the only ones I'm aware of at least). There were over 1000 downloads of the faulty CAST256 plugin alone. Both of these plugins have been updated by their authors. Sincerely, Amir
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:53 PDT