[25514] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Plain Text Password Vulnerability in Winamp 2.80

daemon@ATHENA.MIT.EDU (isox@chainsawbeer.com)
Mon May 20 18:18:48 2002

Date: 19 May 2002 04:41:33 -0000
Message-ID: <20020519044133.29351.qmail@chainsawbeer.com>
From: isox@chainsawbeer.com
To: bugtraq@securityfocus.com

When a URL's is streamed in winamp which requires HTTP authentication, the user is prompted to enter a username and password.  This username and password is then stored as plain text in the file winamp.ini under the section [HTTP-AUTH].  The format of stored passwords (it seems) is <domain - TLD>=<username>:<password>.

URL's which are streamed are also kept as history in the winamp.ini file under the [winamp] section.  This includes URL's which include the username/password in them (ie, http://username:password@site).

This was verified in Winamp 2.80 on Windows XP.

- isox


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[25514] in bugtraq

Plain Text Password Vulnerability in Winamp 2.80

daemon@ATHENA.MIT.EDU (isox@chainsawbeer.com)Mon May 20 18:18:48 2002

daemon@ATHENA.MIT.EDU (isox@chainsawbeer.com)
Mon May 20 18:18:48 2002