Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
session pw revealed in crash/direct
10 views
Skip to first unread message
August Abolins
May 7, 2023, 7:23:37 AM5/7/23
to
I thought this was corrected before, but OpenXP is again
revealing the session password that is normally shared with the
boss system to the system where the crashmail is being
directed. :(
--
../|ug
revealing the session password that is normally shared with the
boss system to the system where the crashmail is being
directed. :(
--
../|ug
Martin Foster
May 8, 2023, 6:27:14 AM5/8/23
to
Hello August!
*** Sunday 07.05.23 at 05:17, August Abolins wrote:
> I thought this was corrected before,
Yes, it was definitely fixed in 5.0.49(20.03.2021) because at that time, I
was still taking an active part in OpenXP development and I well remember
doing a *lot* of beta testing on this issue.
> but OpenXP is again revealing the session password that is normally
> shared with the boss system to the system where the crashmail is being
> directed. :(
At the time this issue was fixed, there was no way of telling whether it
was actually the session or the packet password that was being written to
the .PKT file(s) because OpenXP used the session password for the packet
password. There is now a way of telling which password is being written to
the .PKT file(s) because support for a separate packet password was
implemented in 5.0.56(07.05.2022).
After a bit of poking around in my own setup here and sending a couple of
crash netmails, it appears that OpenXP is writing the Primary Fido Server
packet password to ALL crash netmails, regardless of where they are
destined. In other words, OpenXP is not revealing the BossNode session
password, it is revealing the BossNode packet password which, of course,
is just as bad and it should NOT be doing this.
-- Martin
*** Sunday 07.05.23 at 05:17, August Abolins wrote:
> I thought this was corrected before,
was still taking an active part in OpenXP development and I well remember
doing a *lot* of beta testing on this issue.
> but OpenXP is again revealing the session password that is normally
> shared with the boss system to the system where the crashmail is being
> directed. :(
was actually the session or the packet password that was being written to
the .PKT file(s) because OpenXP used the session password for the packet
password. There is now a way of telling which password is being written to
the .PKT file(s) because support for a separate packet password was
implemented in 5.0.56(07.05.2022).
After a bit of poking around in my own setup here and sending a couple of
crash netmails, it appears that OpenXP is writing the Primary Fido Server
packet password to ALL crash netmails, regardless of where they are
destined. In other words, OpenXP is not revealing the BossNode session
password, it is revealing the BossNode packet password which, of course,
is just as bad and it should NOT be doing this.
-- Martin
Gunter
May 8, 2023, 4:20:45 PM5/8/23
to
Hallo Martin!
> After a bit of poking around in my own setup here and sending a couple
> of crash netmails, it appears that OpenXP is writing the Primary Fido
> Server packet password to ALL crash netmails, regardless of where they
> are destined. In other words, OpenXP is not revealing the BossNode
> session password, it is revealing the BossNode packet password which, of
> course, is just as bad and it should NOT be doing this.
Ok, I'll have a look at it.
Thanks for testing !!!
Ciao
Gunter
> After a bit of poking around in my own setup here and sending a couple
> of crash netmails, it appears that OpenXP is writing the Primary Fido
> Server packet password to ALL crash netmails, regardless of where they
> are destined. In other words, OpenXP is not revealing the BossNode
> session password, it is revealing the BossNode packet password which, of
> course, is just as bad and it should NOT be doing this.
Thanks for testing !!!
Ciao
Gunter
Gunter
May 11, 2023, 9:42:33 AM5/11/23
to
Hallo Martin!
> In other words, OpenXP is not revealing the BossNode session password,
> it is revealing the BossNode packet password which, of course,
> is just as bad and it should NOT be doing this.
This should be fixed in the next release.
Sorry for any inconvenience but FIDO is just not my area of expertise :-)
Ciao
Gunter
> In other words, OpenXP is not revealing the BossNode session password,
> it is revealing the BossNode packet password which, of course,
> is just as bad and it should NOT be doing this.
Sorry for any inconvenience but FIDO is just not my area of expertise :-)
Ciao
Gunter
Martin Foster
May 13, 2023, 6:36:45 AM5/13/23
to
Hello Gunter!
*** Thursday 11.05.23 at 14:41, Gunter wrote:
>> In other words, OpenXP is not revealing the BossNode session password,
>> it is revealing the BossNode packet password which, of course,
>> is just as bad and it should NOT be doing this.
> This should be fixed in the next release.
Thank you very much for that.
> Sorry for any inconvenience but FIDO is just not my area of expertise :-)
Even though I officially retired from the project quite recently, I'm
always ready to help out if/when I can :)
-- Martin
*** Thursday 11.05.23 at 14:41, Gunter wrote:
>> In other words, OpenXP is not revealing the BossNode session password,
>> it is revealing the BossNode packet password which, of course,
>> is just as bad and it should NOT be doing this.
> This should be fixed in the next release.
> Sorry for any inconvenience but FIDO is just not my area of expertise :-)
always ready to help out if/when I can :)
-- Martin
August Abolins
May 14, 2023, 10:05:11 AM5/14/23
to
Hello gunter.sandner # googlemail.com!
** On Thursday 11.05.23 - 15:41, gunter.sandner # googlemail.com wrote to
All:
>> it is revealing the BossNode packet password which, of
>> course, is just as bad and it should NOT be doing this.
gs> This should be fixed in the next release. Sorry for any
gs> inconvenience but FIDO is just not my area of expertise
gs> :-)
OXP is quite the versatile program:
ЪДДДДДДДДДДДДї
і POP3/SMTP і
і NNTP і
і IMAP і
і RFC/Client і
і RFC/UUCP і
і Fido і
і ZConnect і
АДДДДДДДДДДДДЩ
I never really noticed the IMAP support.
BTW.. is anyone using the ZConnect system?
--
../|ug
** On Thursday 11.05.23 - 15:41, gunter.sandner # googlemail.com wrote to
All:
>> it is revealing the BossNode packet password which, of
>> course, is just as bad and it should NOT be doing this.
gs> inconvenience but FIDO is just not my area of expertise
gs> :-)
OXP is quite the versatile program:
ЪДДДДДДДДДДДДї
і POP3/SMTP і
і NNTP і
і IMAP і
і RFC/Client і
і RFC/UUCP і
і Fido і
і ZConnect і
АДДДДДДДДДДДДЩ
I never really noticed the IMAP support.
BTW.. is anyone using the ZConnect system?
--
../|ug
August Abolins
May 14, 2023, 5:03:08 PM5/14/23
to
Hello dcsc # openxp.uk!
** On Monday 08.05.23 - 11:24, dcsc # openxp.uk wrote to me:
MF> Yes, it was definitely fixed in 5.0.49(20.03.2021) ...
Right oh. It was still quite fine when I moved to .51
MF> ...There is now a way of telling which password is
MF> being written to the .PKT file(s) because support for a
MF> separate packet password was implemented in
MF> 5.0.56(07.05.2022).
I jumped from .51 to .57 So, perhaps the breech/reveal
occurred in .56 and no one noticed until now? :/
Good to hear that the next release addresses the problem! :D
--
../|ug
** On Monday 08.05.23 - 11:24, dcsc # openxp.uk wrote to me:
MF> Yes, it was definitely fixed in 5.0.49(20.03.2021) ...
Right oh. It was still quite fine when I moved to .51
MF> ...There is now a way of telling which password is
MF> being written to the .PKT file(s) because support for a
MF> separate packet password was implemented in
MF> 5.0.56(07.05.2022).
I jumped from .51 to .57 So, perhaps the breech/reveal
occurred in .56 and no one noticed until now? :/
Good to hear that the next release addresses the problem! :D
--
../|ug
Zong
May 14, 2023, 5:53:56 PM5/14/23
to
On Sunday 14 May 23, 09:00 UTC+1, August Abolins wrote:
> BTW.. is anyone using the ZConnect system?
Not for regular netcalls.
> BTW.. is anyone using the ZConnect system?
Just a ZConnect Box using the SysopMode to import news with a
sysop netcall from a kill file. I use XPFilter for thread
kills moving news from trolls and answers to a kill-Brett.
after exporting news changing the EMP: I reload some posts of
interest with a Sysop Netcall. The killfile-news are mostly
thrown away. Broken reference trees are neglibible IMO
because one can search for subject, date etc.
Deutsche Fassung;
> Übrigens: Benutzt jemand das ZConnect-System?
Nicht für normale Netzanrufe.
Nur eine ZConnect Box, die den SysopMode benutzt, um
Nachrichten mit einem Sysop Netcall aus einem Kill-File zu
importieren. Ich verwende XPFilter für Thread-Kills und
verschiebe News von Trollen und Antworten in ein Kill-Brett.
Nach dem Exportieren der News und dem Ändern des EMP: lade ich
einige interessante Beiträge neu mit einem Sysop Netcall.
Die Killfile-Nachrichten werden meist weggeworfen. Kaputte
Referenzbäume sind IMO vernachlässigbar, weil man nach Thema,
Datum etc. suchen kann.
--
Zong
0 new messages