RE: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-19 Thread Quark IT - Hilton Travis
T/A Quark Automation, Quark AudioVisual, Quark IT > > > > > >> -----Original Message----- > >> From: Aditya K Sood [mailto:[EMAIL PROTECTED] > >> Sent: Wednesday, 17 September 2008 10:41 PM > >> To: bugtraq@securityfocus.com > >> Subjec

Re: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-19 Thread John Bailey
Memisyazici, Aras wrote: > John: > > Thank you for your reply. > > Indeed, as I tried to explain in my previous reply, my "suggestion" in > obscurity as a means of securing things, was not meant as (encryption of > encryption) ^ ?, rather building another barrier to make it "harder" for > co

RE: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-19 Thread Memisyazici, Aras
strator Virginia Tech From: John Bailey [mailto:[EMAIL PROTECTED] Sent: Thu 9/18/2008 5:44 PM To: Memisyazici, Aras Cc: bugtraq@securityfocus.com; Siim Põder Subject: Re: Pidgin IM Client Password Disclosure Vulnerability. On Thu, Sep 18, 2008 at 03:16:18PM -0400,

Re: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-19 Thread Steve Shockley
Memisyazici, Aras wrote: whereby they take a hash of the password, with a non-std. hashing mechanism. The idea being that in today's world where there are so many scr1pt-kiddi3 toolz out there allowing the avg. Joe Schmoe the capability of analyzing one's memory processes i.e. Tsearch, memhack et

Re: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-19 Thread John Bailey
On Thu, Sep 18, 2008 at 03:16:18PM -0400, Memisyazici, Aras wrote: > While I agree with your comments, I cannot help but suggest that maybe the > method of choice could be 'security through obscurity' whereby they take a > hash of the password, with a non-std. hashing mechanism. The idea being th

RE: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-18 Thread Memisyazici, Aras
s :) Just a thought, Aras 'Russ' Memisyazici Systems Administrator Virginia Tech -Original Message- From: Siim Põder <[EMAIL PROTECTED]> Sent: Thursday, September 18, 2008 12:58 PM To: bugtraq@securityfocus.com Subject: Re: Pidgin IM Client Password Disclosure Vulnerabili

Re: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-18 Thread Siim Põder
Hi. Aditya K Sood wrote: > The pidgin client inherits client side password disclosure > vulnerability. The credentials used to > connect to the required service i.e. username and password is not > encrypted properly. The credentials what do you propose? encrypt the password and store the encrypti

RE: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-18 Thread Quark IT - Hilton Travis
d [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 17 September 2008 10:41 PM > To: bugtraq@securityfocus.com > Subject: Pidgin IM Client Password Disclosure Vulnerability. > > Pidgin IM Client Password Disclosure Vulnerability. > > *Version Affected:* > 0.7.10 Unicode / Previou

Re: Pidgin IM Client Password Disclosure Vulnerability.

2008-09-18 Thread Aditya K Sood
al Message- From: Aditya K Sood [mailto:[EMAIL PROTECTED] Sent: Wednesday, 17 September 2008 10:41 PM To: bugtraq@securityfocus.com Subject: Pidgin IM Client Password Disclosure Vulnerability. Pidgin IM Client Password Disclosure Vulnerability. *Version Affected:* 0.7.10 Unicode / Previous vers

Pidgin IM Client Password Disclosure Vulnerability.

2008-09-17 Thread Aditya K Sood
Pidgin IM Client Password Disclosure Vulnerability. *Version Affected:* 0.7.10 Unicode / Previous version can be affected. *Release Date:* 11 September 2008 *About:* Pidgin is a graphical modular messaging client based on libpurple which is capable of connecting to AIM, MSN, Yahoo!, XMPP, ICQ