Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q3

Bugtraq Archives: Winamp SHOUTcast server: Gain Administrator P

Winamp SHOUTcast server: Gain Administrator Password

Michael (arrowDAHPHISH.ORG)
Fri, 20 Aug 1999 02:19:39 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Bob Todd: "Vulnerability in Solaris 2.6. rpc.statd ?"
Previous message: Georgi Guninski: "IE 5.0 allows executing programs"

Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =)

I was recently setting up a Nullsoft SHOUTcast server to relay some
content when I noticed the Administrator password is stored plain text in
the configuration file (./sc_serv.conf by default).

The password is also LOGGED when the web based administration tool is
used. It can be obtained by simply grep'ing the logfile output. The
offending line is here:
<08/20/<08/20/9906:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98))

Obtaining the Administrator password allows administration via the web
based system, as well has hijacking the content stream going out to
listeners.

Quick fix would be simply chmod the log and config files to prevent world
reading. Nullsoft should of course parse there log output for sensitive
data, and possibly look into UNIX crypt() for its passwords.

-arr0w

---
Mike Damm       http://www.dahphish.org/~arrow/
arrownakedhackers.net     arrowalphalinux.org
Sometimes I think windows calls DevideByZero();

Next message: Bob Todd: "Vulnerability in Solaris 2.6. rpc.statd ?"
Previous message: Georgi Guninski: "IE 5.0 allows executing programs"

This archive was generated by hypermail 2.0b3 on Sun Aug 22 1999 - 09:04:32 CDT