RE: Check Point VPN-1 SecuRemote Flaw

From: Gordon, Paul (Paul.Gordonat_private)
Date: Tue Oct 23 2001 - 19:26:25 PDT

Next message: Stefanos Harhalakis: "Apache suexec"

Previous message: Miguel Angel Rodriguez Jodar: "Re: Javascript in IE may spoof the whole screen"
Maybe in reply to: Kratter, Dave: "Check Point VPN-1 SecuRemote Flaw"
Next in thread: Andy Fiddaman: "RE: Check Point VPN-1 SecuRemote Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This has been a long-standing problem with SecuRemote. However, Checkpoint
claims to have fixed the problem in VPN-1 Next Generation. Now a generic
error message is received regardless of whether the username or password is
incorrect (although I've not personally verified this).

---------------------------------------------------------
Paul Gordon              Getronics Solutions (S) PTE LTD
Security Consultant      1 International Business Park
                         The Synergy
Ph:  +65 890 2828        #02-14/15
Fax: +65 890 2888        Singapore 609917

Email: paul.gordonat_private
---------------------------------------------------------

-----Original Message-----
From: Kratter, Dave [mailto:daveat_private]
Sent: Wednesday, 24 October 2001 5:07
To: 'bugtraqat_private'
Subject: Check Point VPN-1 SecuRemote Flaw


Summary:
	SecuRemote will show whether a username is recognized during failed
login attempts

Versions Tested:
	4.1 SP4 (4185) VPN+Strong for Windows 2000
	4.1 SP4 (4185) VPN+Strong for Windows NT

<snip>

Next message: Stefanos Harhalakis: "Apache suexec"
Previous message: Miguel Angel Rodriguez Jodar: "Re: Javascript in IE may spoof the whole screen"
Maybe in reply to: Kratter, Dave: "Check Point VPN-1 SecuRemote Flaw"
Next in thread: Andy Fiddaman: "RE: Check Point VPN-1 SecuRemote Flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 21:25:52 PDT