While this is arguably a misfeature, it's not like anyone reading the documentation wouldn't know about it, and you have to explicitly enable it. It does not seem too much of a problem to me.
Joachim
Hi.Of course it is, but it's hidden away nicely, and who reads documentation anyway eh? ;o) ..certainly not a system administrator in a hurry to set up a VPN while being bitched at by his boss. I thought I'd bring it to the attention of everyone on this list who may be running it, and didn't realise the implications. If you want to bitch about something, bitch about these XSS attacks appearing on bugtraq relating to guestbook v1, etc. that about two people in the world use that doesn't include big organisations. As opposed to OpenVPN - which is used by many, including some big organisations I'm guessing. Additionally, they could have put warnings in the actual code, checks, even disable binding to a specific NIC. However, as someone mentioned, they don't enable the interface by default - so we'll give them a blue peter badge for that.
Have a lovely day. -- c0redump #hacktech @ undernetps. thank you to the PGP girlies who gave me a free beer at infosec 2006 - much love ;o)