[isf-wifidog] Sniffing out the wifidog network!!!

Pierre-Luc Bacon pierrelucbacon at aqra.ca
Lun 22 Fév 12:08:42 EST 2010


Strong security or authentication never has been a major point of
interest for the Wifidog project. It sure is, but we don't aim at just
being a simple authentication gateway. More sophisticated solutions
already exist outside of Wifidog (WPA2 enterprise + radius for
example).

On Sun, Feb 21, 2010 at 5:19 PM, Jean-Philippe Menil
<jean-philippe.menil at univ-nantes.fr> wrote:
> Arya Mazaheri a écrit :
>>
>> Hi there,
>> I'm running wifidog for a while. For security check I decided to sniff out
>> my network to see the possible vulnerabilities. after doing that, I found
>> that there is a very bad security vulnerability. every user who wants to
>> authenticate to wifidog portal, his/her username and password can be sniffed
>> easily and hijacked!
>> The user's authentication is performed by LDAP directory and SSL is
>> running on the portal but still it has the problem.
>>  Any idea?...
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
> Hi,
>
> theorically, the communication between your ldap and the auth server aren't
> on the same network segement that your users.
> So, i don't see how it can be possible to sniff anything concerning
> password.
> By the way, you can easily implement the ldaps protocol in your ldap server.
>
> Can you provide more elements of your situation?
>
> Regards.
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>



-- 
Pierre-Luc Bacon
http://pierrelucbacon.com/


Plus d'informations sur la liste de diffusion WiFiDog