c0redump@xxxxxxxxxxxxx wrote: >> While this is arguably a misfeature, it's not like anyone reading the >> documentation wouldn't know about it, and you have to explicitly enable >> it. It does not seem too much of a problem to me. > >> Joachim > > Hi. > > Of course it is, but it's hidden away nicely, and who reads > documentation anyway eh? ;o) ..certainly not a system administrator in > a hurry to set up a VPN while being bitched at by his boss. I thought > I'd bring it to the attention of everyone on this list who may be > running it, and didn't realise the implications. If you want to bitch > about something, bitch about these XSS attacks appearing on bugtraq > relating to guestbook v1, etc. that about two people in the world use > that doesn't include big organisations. As opposed to OpenVPN - which > is used by many, including some big organisations I'm guessing. > Additionally, they could have put warnings in the actual code, checks, > even disable binding to a specific NIC. However, as someone mentioned, > they don't enable the interface by default - so we'll give them a blue > peter badge for that. > > Have a lovely day. > > -- c0redump > #hacktech @ undernet > ps. thank you to the PGP girlies who gave me a free beer at infosec 2006 > - much love ;o) > > People that don't read the documentation are the same that leave apache web servers open, the same that set up open relay mail servers, and so on. So actually reading the documentation is the right thing to do. The management interface is an experimental feature, and it's not supposed to be used on production sites. And further more, you can have authentication. From the openvpn manual: --management IP port [pw-file] Enable a TCP server on IP:port to handle daemon management functions. pw-file, if specified, is a password file (password on first line) or "stdin" to prompt from standard input. The pass word provided will set the password which TCP clients will need to provide in order to access management functions... So, this is not a security flaw nor a design flaw, because it is an EXPERIMENTAL feature. It is on the wish list for openvpn 2.1 to make it use TLS/SSL. There is no point in your arguments. And, if you are so worried about it, go use IPSec or even worse, use PPTP. My 3 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informática 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Attachment:
signature.asc
Description: OpenPGP digital signature