Adik wrote:

>IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
>encrypt its user passwords. Have a look at attached proof of concept tool, which will decrypt user password from local machine instantly.
>
>
Unfortunately being able to decrypt passwords is absolutely required in
order to support APOP, or SMTP CRAM-MD5 authentication.

With that in mind, this isn't so much a bug, but rather a design flaw
necessitated to support the protocols involved.

--
Dave Warren,
Email/MSN MSG: dave.warren (at) devilsplayground (dot) net [email concealed]
Phone: (403) 770-6140 Vonage: (817) 886-0860
Cell: (403) 371-3470 Toll free: (888) 371-3470
ICQ: 17848192 AIM: devilspgd

[ reply ]