VolanoChatPro Local Password Disclosure Vulnerability
BID:1906
Info
VolanoChatPro Local Password Disclosure Vulnerability
| Bugtraq ID: | 1906 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 04 2000 12:00AM |
| Updated: | Nov 04 2000 12:00AM |
| Credit: | Posted to Bugtraq by <[email protected]> on 4 Nov 2000. |
| Vulnerable: |
Volano LLC VolanoChatPro 2.1 |
| Not Vulnerable: | |
Discussion
VolanoChatPro Local Password Disclosure Vulnerability
A vulnerability exists in VolanoChatPro 2.1, a Java-based internet chat server which runs on Windows and Unix-like platforms.
The configuration file "properties.txt", which is set world-readable following installation, contains entries for the server and admin passwords. These values are not encrypted or otherwise obfuscated. As a result, anyone with access to the VolanoChatPro directory will be able to easily obtain these passwords and compromise administrative access for the chat server.
A vulnerability exists in VolanoChatPro 2.1, a Java-based internet chat server which runs on Windows and Unix-like platforms.
The configuration file "properties.txt", which is set world-readable following installation, contains entries for the server and admin passwords. These values are not encrypted or otherwise obfuscated. As a result, anyone with access to the VolanoChatPro directory will be able to easily obtain these passwords and compromise administrative access for the chat server.
Exploit / POC
VolanoChatPro Local Password Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
VolanoChatPro Local Password Disclosure Vulnerability
Solution:
Change the permissions of the permission.txt file to mode 0600.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Change the permissions of the permission.txt file to mode 0600.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
VolanoChatPro Local Password Disclosure Vulnerability
References:
References: