I think that I just stumbled onto a possible security vulnerability in
CSecurityTLS.  It seems as though CSecurityTLS::processMsg returns true
before the handshake has completed (possibly due to the "if (is.readU8() ==
0)" test on line 174).  In the case of secTypes like x509plain, the user is
prompted for a username and password (meaning the client is processing phase
2 of the security stack) before the certificate has been verified.  I
noticed this while testing a known bad certificate - presumably this means
that the username & password are sent in the clear since the TLS handshake
never completes.

WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
Tigervnc-devel mailing list

Reply via email to