[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : VolanoChatPro stores plain text password in a publicly accessible file

Title: VolanoChatPro stores plain text password in a publicly accessible file
Released by: KRazY
Date: 4th November 2000
Printable version: Click here
Title: VolanoChatPro stores plain text password in a publicly accessible

file.

Date: November 4, 2000

Risk: Low. No system privileges are granted.

Vendor Site: http://www.volano.com





=================================================

VolanoChatPro, a widely used chat server on the Internet, allows anyone

with access to the filesystem to obtain chat server admin access.



In the directory where VolanoChatPro is installed, there is a file named

"properties.txt".  This file stores the config for the server, including

the value of server.password and admin.password.  After install, the

permissions on this file are "-rw-r--r--".



I contacted the vendor on August 2, 2000 and have gotten no response.  I

think a workaround would be to change the permissions so that only the

owner can read the file.  I asked the vendor if this would cause any other

problems or if the product would reset the permissions and got no

response. This is not addressed in documentation.



I was saddened to see that the company lists many high profile customers

(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See

http://www.volano.com/customers.html), but wouldn't respond to a security

email.







.:Shout outs to:.

 - /* Commander Crash */  -- Driver, pull over at the next cross-over.

 - Scanman








(C) 1999-2000 All rights reserved.