Re: [Exim] CRAM-MD5 fudging

Startseite
Diese Nachricht ist Teil des folgenden Threads:
M--\Der komplette Thread sortiert nach Datum
M+\MNico Erfurth am <-
MMMMNico Erfurth am ->
Nachricht löschen
Nachricht beantworten
Autor: John Jetmore
Datum:  
To: Nico Erfurth
CC: Tamas TEVESZ, exim-users
Betreff: Re: [Exim] CRAM-MD5 fudging
On Wed, 12 Mar 2003, Nico Erfurth wrote:

> > umm, you're right. but how the hell was i able to properly
> > authenticate everytime, then ? i did my first tests by hand, which
> > involved manual b64 decoding, the creating the response hash,
> > b64-encoding it, then feeding it to exim - it *definitely* takes more
> > time than a second...
>
> Hmmm, well let me think, maybe it doesn't matter, whatever you have the
> same Challange or not, in your situation?

Just a thought, but if the challenge was literally
'<$tod_epoch@$primary_hostname>', that's still a useable challenge string.
It's not RFC compliant, but that doesn't necessarily mean anything. it
would make your server vulnerable to a replay attack (or whatever it's
called) though. I will say I just set up a test using the macro version
and I do get presented with <1047505235@???> as the
challenge, so it's getting expanded somewhere (this is 4.12, not sure when
server_prompts started getting expanded).



Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [Exim] CRAM-MD5 fudging[Exim] Problem with the RBL-Feature and Dial-Up Hosts authentificating via SMTP-Auth->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)