Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =)
I was recently setting up a Nullsoft SHOUTcast server to relay some
content when I noticed the Administrator password is stored plain text in
the configuration file (./sc_serv.conf by default).
The password is also LOGGED when the web based administration tool is
used. It can be obtained by simply grep'ing the logfile output. The
offending line is here:
<08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98))
Obtaining the Administrator password allows administration via the web
based system, as well has hijacking the content stream going out to
listeners.
Quick fix would be simply chmod the log and config files to prevent world
reading. Nullsoft should of course parse there log output for sensitive
data, and possibly look into UNIX crypt() for its passwords.
-arr0w
---
Mike Damm http://www.dahphish.org/~arrow/
arrowat_private arrowat_private
Sometimes I think windows calls DevideByZero();
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:56 PDT