Hi all, Adito/OpenVPN ALS replacement proxy feature has the following vulnerability:
https://www.kb.cert.org/vuls/id/261869 The vulnerability may allow the attacker to steal a user's session cookie, in effect allowing the user to login without any credentials. The risk of this attack can be lessened by using the "Restrict to hosts" options in replacement proxy settings. Also, using the "Verify Client Address" option to prevent using the session cookie from multiple IP addresses makes it more difficult to make use of this exploit. There's currently no fix, but there are a few things that can be done on the code level to mitigate this risk further. Samuli ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Openvpn-als-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-als-user
