Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =) I was recently setting up a Nullsoft SHOUTcast server to relay some content when I noticed the Administrator password is stored plain text in the configuration file (./sc_serv.conf by default). The password is also LOGGED when the web based administration tool is used. It can be obtained by simply grep'ing the logfile output. The offending line is here: <08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)) Obtaining the Administrator password allows administration via the web based system, as well has hijacking the content stream going out to listeners. Quick fix would be simply chmod the log and config files to prevent world reading. Nullsoft should of course parse there log output for sensitive data, and possibly look into UNIX crypt() for its passwords. -arr0w --- Mike Damm http://www.dahphish.org/~arrow/ arrowat_private arrowat_private Sometimes I think windows calls DevideByZero();
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:56 PDT