Giancarlo Razzolini
10/05/06, 20:40
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0EE4FC3FEEE912EC7A47AC78
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
c0redump@ackers.org.uk wrote:
>> While this is arguably a misfeature, it's not like anyone reading the
>> documentation wouldn't know about it, and you have to explicitly enabl=
e
>> it. It does not seem too much of a problem to me.
>=20
>> Joachim
>=20
> Hi.
>=20
> Of course it is, but it's hidden away nicely, and who reads
> documentation anyway eh? ;o) ..certainly not a system administrator in=
> a hurry to set up a VPN while being bitched at by his boss. I thought
> I'd bring it to the attention of everyone on this list who may be
> running it, and didn't realise the implications. If you want to bitch
> about something, bitch about these XSS attacks appearing on bugtraq
> relating to guestbook v1, etc. that about two people in the world use
> that doesn't include big organisations. As opposed to OpenVPN - which
> is used by many, including some big organisations I'm guessing.=20
> Additionally, they could have put warnings in the actual code, checks,
> even disable binding to a specific NIC. However, as someone mentioned,=
> they don't enable the interface by default - so we'll give them a blue
> peter badge for that.
>=20
> Have a lovely day.
>=20
> -- c0redump
> #hacktech @ undernet
> ps. thank you to the PGP girlies who gave me a free beer at infosec 200=
6
> - much love ;o)
>=20
>=20
People that don't read the documentation are the same that leave apache
web servers open, the same that set up open relay mail servers, and so
on. So actually reading the documentation is the right thing to do. The
management interface is an experimental feature, and it's not supposed
to be used on production sites. And further more, you can have
authentication. From the openvpn manual:
--management IP port [pw-file]
Enable a TCP server on IP:port to handle daemon management
functions. pw-file, if specified, is a password file (password on
first line) or "stdin" to prompt from standard input. The pass
word provided will set the password which TCP clients will
need to provide in order to access management functions...
So, this is not a security flaw nor a design flaw, because it is an
EXPERIMENTAL feature. It is on the wish list for openvpn 2.1 to make it
use TLS/SSL. There is no point in your arguments. And, if you are so
worried about it, go use IPSec or even worse, use PPTP.
My 3 cents,
--=20
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Inform=E1tica
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
--------------enig0EE4FC3FEEE912EC7A47AC78
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFEXptZer67q5wOa4URA7SOAJ4sB3Gp3xpQAz2jtDqLVg KScM4q0ACghLwl
Iuie6YoyPgi5iKkdXwdW0go=
=l3SG
-----END PGP SIGNATURE-----
--------------enig0EE4FC3FEEE912EC7A47AC78--
--------------enig0EE4FC3FEEE912EC7A47AC78
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
c0redump@ackers.org.uk wrote:
>> While this is arguably a misfeature, it's not like anyone reading the
>> documentation wouldn't know about it, and you have to explicitly enabl=
e
>> it. It does not seem too much of a problem to me.
>=20
>> Joachim
>=20
> Hi.
>=20
> Of course it is, but it's hidden away nicely, and who reads
> documentation anyway eh? ;o) ..certainly not a system administrator in=
> a hurry to set up a VPN while being bitched at by his boss. I thought
> I'd bring it to the attention of everyone on this list who may be
> running it, and didn't realise the implications. If you want to bitch
> about something, bitch about these XSS attacks appearing on bugtraq
> relating to guestbook v1, etc. that about two people in the world use
> that doesn't include big organisations. As opposed to OpenVPN - which
> is used by many, including some big organisations I'm guessing.=20
> Additionally, they could have put warnings in the actual code, checks,
> even disable binding to a specific NIC. However, as someone mentioned,=
> they don't enable the interface by default - so we'll give them a blue
> peter badge for that.
>=20
> Have a lovely day.
>=20
> -- c0redump
> #hacktech @ undernet
> ps. thank you to the PGP girlies who gave me a free beer at infosec 200=
6
> - much love ;o)
>=20
>=20
People that don't read the documentation are the same that leave apache
web servers open, the same that set up open relay mail servers, and so
on. So actually reading the documentation is the right thing to do. The
management interface is an experimental feature, and it's not supposed
to be used on production sites. And further more, you can have
authentication. From the openvpn manual:
--management IP port [pw-file]
Enable a TCP server on IP:port to handle daemon management
functions. pw-file, if specified, is a password file (password on
first line) or "stdin" to prompt from standard input. The pass
word provided will set the password which TCP clients will
need to provide in order to access management functions...
So, this is not a security flaw nor a design flaw, because it is an
EXPERIMENTAL feature. It is on the wish list for openvpn 2.1 to make it
use TLS/SSL. There is no point in your arguments. And, if you are so
worried about it, go use IPSec or even worse, use PPTP.
My 3 cents,
--=20
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Inform=E1tica
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
--------------enig0EE4FC3FEEE912EC7A47AC78
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFEXptZer67q5wOa4URA7SOAJ4sB3Gp3xpQAz2jtDqLVg KScM4q0ACghLwl
Iuie6YoyPgi5iKkdXwdW0go=
=l3SG
-----END PGP SIGNATURE-----
--------------enig0EE4FC3FEEE912EC7A47AC78--