[17502] in bugtraq
Filesystem Access + VolanoChat = VChat admin (fwd)
daemon@ATHENA.MIT.EDU (K, KRazY)
Mon Nov 6 01:14:56 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.1001104175019.23268A-100000@shell.acadiacom.net>
Date: Sat, 4 Nov 2000 17:54:27 -0600
Reply-To: krazy-k@SHELL.ACADIACOM.NET
From: "K, KRazY" <krazy-k@SHELL.ACADIACOM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Title: VolanoChatPro stores plain text password in a publicly accessible
file.
Date: November 4, 2000
Risk: Low. No system privileges are granted.
Vendor Site: http://www.volano.com
=================================================
VolanoChatPro, a widely used chat server on the Internet, allows anyone
with access to the filesystem to obtain chat server admin access.
In the directory where VolanoChatPro is installed, there is a file named
"properties.txt". This file stores the config for the server, including
the value of server.password and admin.password. After install, the
permissions on this file are "-rw-r--r--".
I contacted the vendor on August 2, 2000 and have gotten no response. I
think a workaround would be to change the permissions so that only the
owner can read the file. I asked the vendor if this would cause any other
problems or if the product would reset the permissions and got no
response. This is not addressed in documentation.
I was saddened to see that the company lists many high profile customers
(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See
http://www.volano.com/customers.html), but wouldn't respond to a security
email.
.:Shout outs to:.
- /* Commander Crash */ -- Driver, pull over at the next cross-over.
- Scanman
