Bugtraq: Plain Text Password Vulnerability in Winamp 2.80

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Plain Text Password Vulnerability in Winamp 2.80

From: isox () chainsawbeer com
Date: 19 May 2002 04:41:33 -0000

When a URL's is streamed in winamp which requires HTTP authentication, the user is prompted to enter a username and 
password.  This username and password is then stored as plain text in the file winamp.ini under the section 
[HTTP-AUTH].  The format of stored passwords (it seems) is <domain - TLD>=<username>:<password>.
 
URL's which are streamed are also kept as history in the winamp.ini file under the [winamp] section.  This includes 
URL's which include the username/password in them (ie, http://username:password () site).
 
This was verified in Winamp 2.80 on Windows XP.
 
- isox

By Date By Thread

Current thread:

Plain Text Password Vulnerability in Winamp 2.80 isox (May 20)
- <Possible follow-ups>
- Re: Plain Text Password Vulnerability in Winamp 2.80 Muhammad Faisal Rauf Danka (May 21)