Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)
From: Volano Support <support () VOLANO COM>
Date: Mon, 6 Nov 2000 11:04:54 -0800

Hello Brad:

The reply to this person's email is below.

Also, as you can see, numerous attempts, from August 2-9, were made
to send to this person's email address. However, each and every
attempt returned a permanent fatal error with their email address.

We reply promptly to all emails. However, we cannot assist when
erroneous email addresses are provided. It is unfortunate that we
were "threatened" by this person about "going public" with what is
obviously not a security issue, and is a simple matter of directory
and file permissions.

If you are a member of this list, please notify others to use valid
email addresses if they expect a response.

Sincerely,
Carel Neffenger


-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of K,
KRazY
Sent: Sunday, November 05, 2000 9:54 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Filesystem Access + VolanoChat = VChat admin (fwd)


Title: VolanoChatPro stores plain text password in a publicly accessible
file.
Date: November 4, 2000
Risk: Low. No system privileges are granted.
Vendor Site: http://www.volano.com


=================================================
VolanoChatPro, a widely used chat server on the Internet, allows anyone
with access to the filesystem to obtain chat server admin access.

In the directory where VolanoChatPro is installed, there is a file named
"properties.txt".  This file stores the config for the server, including
the value of server.password and admin.password.  After install, the
permissions on this file are "-rw-r--r--".

I contacted the vendor on August 2, 2000 and have gotten no response.  I
think a workaround would be to change the permissions so that only the
owner can read the file.  I asked the vendor if this would cause any other
problems or if the product would reset the permissions and got no
response. This is not addressed in documentation.

I was saddened to see that the company lists many high profile customers
(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See
http://www.volano.com/customers.html), but wouldn't respond to a security
email.



.:Shout outs to:.
 - /* Commander Crash */  -- Driver, pull over at the next cross-over.
 - Scanman




Date: Wed, 9 Aug 2000 11:47:41 -0800
To: krazy-k () acadiacom net
From: Volano Support <support () volano com>
Subject: Fwd: Returned mail: Cannot send message within 5 days
Cc:
Bcc:
X-Attachments:

Date: Wed, 9 Aug 2000 09:11:56 -0700
From: Mail Delivery Subsystem <MAILER-DAEMON () server1 volano com>
To: <support () volano com>
Subject: Returned mail: Cannot send message within 5 days
Auto-Submitted: auto-generated (failure)



The original message was received at Fri, 4 Aug 2000 08:21:42 -0700
from vp029.dds01.sea.blarg.net [206.124.137.29]

   ----- The following addresses had permanent fatal errors -----
<krazy-k () shell acadiacom net>

   ----- Transcript of session follows -----
<krazy-k () shell acadiacom net>... Deferred: Name server:
shell.acadiacom.net.: host name lookup failure
Message could not be delivered for 5 days
Message will be deleted from queue

Reporting-MTA: dns; server1.volano.com
Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700

Final-Recipient: RFC822; krazy-k () shell acadiacom net
Action: failed
Status: 4.4.7
Remote-MTA: DNS; shell.acadiacom.net
Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700

Return-Path: <support () volano com>
Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29])
        by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229
        for <krazy-k () shell acadiacom net>; Fri, 4 Aug 2000 08:21:42 -0700
Mime-Version: 1.0
X-Sender: support () mail volano com (Unverified)
Message-Id: <p04320409b5b08cf19c26 () [216 225 114 67]>
In-Reply-To:
 <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net>
References: <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net>
Date: Fri, 4 Aug 2000 08:09:55 -0700
To: krazy-k () shell acadiacom net
From: Volano Support <support () volano com>
Subject: Re: Security: Telnet + VChat = VChat admin (fwd)
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

Hello:

The email address you supply is being returned as undeliverable.
Below is a forward of my email from Wednesday.

Date: Wed, 2 Aug 2000 10:07:42 -0700
To: krazy-k () shell acadiacom net
From: Volano Support <support () volano com>
Subject: Re: Security: Telnet + VChat = VChat admin
Cc:
Bcc:
X-Attachments:

Hi.  I took a quick look at your VolanoChatPro product.  I noticed that
your product sets the file properties.txt with the following permissions,
"-rw-r--r--".  Since this file is readable by anyone, it is possible for
anyone with filesytem access to read the file and obtain the value of
server.password and admin.password.  Once someone has these, obviously bad
things can happen.

I didn't see this issue addressed in online documentation.

Are there any plans to fix this?  If I manually set the permissions, will
your product change the permission back to "-rw-r--r--" or can I rely on
the permissions staying the same?

Thanks.

If you're running on a multi-user system where others have login
accounts, then of course, you should change the permissions so
that other users can't read the file. The VolanoChat server will
leave the permissions as you define them.

For example, you could set it to:
   chmod 600 properties.txt

That will set it so only the userid under which you installed and
start the VolanoChat server can read the file.

Also, make sure that the files are not publically available under
your web server directories.

Sincerely,
Carel Neffenger



I have heard no response from you.

I will go public in 2 weeks.

---------- Forwarded message ----------
Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT)
From: krazy-k () shell acadiacom net
To: support () volano com
Cc: security () volano com
Subject: Security: Telnet + VChat = VChat admin

Hi.  I took a quick look at your VolanoChatPro product.  I noticed that
your product sets the file properties.txt with the following permissions,
"-rw-r--r--".  Since this file is readable by anyone, it is possible for
anyone with filesytem access to read the file and obtain the value of
server.password and admin.password.  Once someone has these, obviously bad
things can happen.

I didn't see this issue addressed in online documentation.

Are there any plans to fix this?  If I manually set the permissions, will
your product change the permission back to "-rw-r--r--" or can I rely on
the permissions staying the same?

Thanks.

--
------------------------------------------------------------------
Volano LLC
331 Andover Park East, #240, Seattle, WA 98188-7601
tel (206) 575-9129
fax (909) 498-9986
mailto:support () volano com

Volano LLC Home Page
    http://www.volano.com/

Volano Chat Administrator Guides:
    http://www.volano.com/documentation.html

--
--------------------------------------------------------
Volano LLC
331 Andover Park East, #240, Seattle, WA 98188-7601
tel (206) 575-9129 -- fax (909) 498-9986
mailto:support () volano com

Volano LLC Home Page
    http://www.volano.com/

Volano Chat Administrator Guides:
    http://www.volano.com/documentation.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault