Re: Audiogalaxy again

From: David Lodge (fenrirat_private)
Date: Thu Nov 29 2001 - 04:44:34 PST

Next message: Flavio Veloso: "Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"

Previous message: George Hedfors: "RE: def-2001-32 - Allaire JRun directory browsing vulnerability"
Maybe in reply to: big bon: "Audiogalaxy again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Sometime ago I released a statement about Audiogalaxy keeping usernames and
> passwords in clear text in a file on the users system.  Well, shortly after
> that they fixed it, or so it seemed.  I notified the good people over at
> Audiogalaxy about this months ago and I see nothing has changed.
> Audiogalaxy has started storing username and passwords in cookie.

Audiogalaxy does not seem to have security as an immediate precedence...

The old audioglaxy would contain the userid and password as part of the URL allowing any proxy/cache admin to get hold of the account information (this seems to have been fixed)

And the non-cleartext entry in the ini file is encrypted very poorly (XOR with 255)

So all you can reiterate is - use a different password for audiogalaxy than everything else (which should be normal!)

dave

Next message: Flavio Veloso: "Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"
Previous message: George Hedfors: "RE: def-2001-32 - Allaire JRun directory browsing vulnerability"
Maybe in reply to: big bon: "Audiogalaxy again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 17:56:32 PST