Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Improper log file storage in Musicmatch software
From: Hyperdose Security (robflyhyperdose.com)
Date: Fri Apr 15 2005 - 11:04:57 CDT
Hyperdose Security Advisory
Name: Improper Log file storage in Musicmatch software
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Author: Robert Fly - robflyhyperdose.com
Advisory URL: http://www.hyperdose.com/advisories/H2005-02.txt
From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience." In September 04 Musicmatch was purchased by Yahoo! Inc.
There are several temp and log files stored by Musicmatch, many of which are
stored under Program Files. Because log data can contain personal user
information, such as what songs they are listening to, this data should be
stored under the users own profile. If not users run the risk of
inadvertantly exposing information which they may not want others to access.
One such example of this is the log file stored in "c:\program
files\musicmatch\musicmatch jukebox\mmjblog.txt" which amongst other things
contains the songs the user has listened to.
As of 3/21/05 Yahoo has released a new version which fixes this
vulnerability. I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
Security FAQ available here:
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle. We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.