[EMAIL PROTECTED] wrote: > There is a flaw (well more a stupid design than anything else) in > OpenVPN 2.0.7 (and below) in the the Remote Management Interface > that allows an attacker to gain complete control because there is NO > AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).
One important mitigating factor: The management interface is not enabled by default. I agree that it's a really stupid design, though. Regards, David. (Return address set to devnull to swallow silly Bugtraq out-of-office messages. Real address is dfs at ...)
