Subj : Re: session pw revealed in crash/direct To : August Abolins From : Martin Foster Date : Mon May 08 2023 11:24:00 From: Martin Foster Hello August! *** Sunday 07.05.23 at 05:17, August Abolins wrote: > I thought this was corrected before, Yes, it was definitely fixed in 5.0.49(20.03.2021) because at that time, I was still taking an active part in OpenXP development and I well remember doing a *lot* of beta testing on this issue. > but OpenXP is again revealing the session password that is normally > shared with the boss system to the system where the crashmail is being > directed. :( At the time this issue was fixed, there was no way of telling whether it was actually the session or the packet password that was being written to the .PKT file(s) because OpenXP used the session password for the packet password. There is now a way of telling which password is being written to the .PKT file(s) because support for a separate packet password was implemented in 5.0.56(07.05.2022). After a bit of poking around in my own setup here and sending a couple of crash netmails, it appears that OpenXP is writing the Primary Fido Server packet password to ALL crash netmails, regardless of where they are destined. In other words, OpenXP is not revealing the BossNode session password, it is revealing the BossNode packet password which, of course, is just as bad and it should NOT be doing this. -- Martin --- * Origin: rbb.fidonet.fi - the fidonet nntp junction (2:221/10) .