COMMAND

    e/pop

SYSTEMS AFFECTED

    WiredRed e/pop 2.0.3.125

PROBLEM

    'chaos  255'  found  following.    Out  of  the  box,  the   e/pop
    application has no security settings  enabled.  Any peer can  take
    control of your desktop without warning.

    Security Codes configured in the  e/pop Control Panel are sent  in
    the clear.   Several security  codes can  be configured  from  the
    e/pop control panel:

        Global: must  be  installed  on  each  e/pop peer in order  to
                communicate and is also used to restrict access to the
                control panel.

      Features: Send and Receive codes  can be configured for each  of
                the following features: Message, Chat, Admin,  Remote,
                and AppShare.

    Security codes can be easily snooped and used to communicate  with
    and/or  take  control  of  e/pop  peers  that  have security codes
    configured.

SOLUTION

    Send a message digest (e.g.  MD5) of the security code  instead of
    sending  it  in  the  clear.   There's  a  possibility  that newer
    versions will  have MD5  and RC6  security used  internally within
    e/pop to encode codes.