Menu

#3 Hostname validation checks ip address

open
nobody
None
5
2008-02-13
2008-02-13
No

The hostname validation in VeNCRypt checks for "ip::port" which breaks the validation on two parts:

1. This is contrary to how other VNC and cert checks are performed, and also why should the server include the port number in the certificate?

2. This opens us up for a dns-poisoning attack.

Checking that the hostname in the certificate matches the hostname entered by the client is the only way that this should work and is also the way that for example Firefox does it.

Discussion

  • Anonymous

    Anonymous - 2008-02-13

    Patch against win/vncviewer/CConn.cxx

     
    CCon.patch

  • Anonymous

    Anonymous - 2008-02-13

    Logged In: YES
    user_id=2006887
    Originator: YES

    Attached path for the unix version aswell, not tested though!
    File Added: CCon.patch

     

  • Anonymous

    Anonymous - 2008-02-13

    Patch against unix/wncviewer/CConn.cxx

     
    CCon.patch

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.