Date: Sat, 4 Nov 2000 17:54:27 -0600 From: "K, KRazY" <krazy-k@SHELL.ACADIACOM.NET> Subject: Filesystem Access + VolanoChat = VChat admin (fwd) To: BUGTRAQ@SECURITYFOCUS.COM Title: VolanoChatPro stores plain text password in a publicly accessible file. Date: November 4, 2000 Risk: Low. No system privileges are granted. Vendor Site: http://www.volano.com ================================================= VolanoChatPro, a widely used chat server on the Internet, allows anyone with access to the filesystem to obtain chat server admin access. In the directory where VolanoChatPro is installed, there is a file named "properties.txt". This file stores the config for the server, including the value of server.password and admin.password. After install, the permissions on this file are "-rw-r--r--". I contacted the vendor on August 2, 2000 and have gotten no response. I think a workaround would be to change the permissions so that only the owner can read the file. I asked the vendor if this would cause any other problems or if the product would reset the permissions and got no response. This is not addressed in documentation. I was saddened to see that the company lists many high profile customers (Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See http://www.volano.com/customers.html), but wouldn't respond to a security email. .:Shout outs to:. - /* Commander Crash */ -- Driver, pull over at the next cross-over. - Scanman