Re: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users

To: kozan@xxxxxxxxxxxxxxxxxx
Subject: Re: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 24 Aug 2005 18:03:20 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050823132016.18275.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <20050823132016.18275.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear kozan@xxxxxxxxxxxxxxxxxx,

There  is no bug, at least described one. Only current user or user with
administrative privileges can access HKEY_CURRENT_USER.


--Tuesday, August 23, 2005, 5:20:16 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:


ksc> Mercora IMRadio 4.0.0.0 stores username and passwords in the Windows
ksc> Registry in plain text. A local user can read the values.

ksc> HKEY_CURRENT_USER\Software\Mercora\MercoraClient\Profiles
ksc> Auto.Username = Mercora IMRadio Username
ksc> Auto.Password = Mercora IMRadio Password



-- 
~/ZARAZA
http://www.security.nnov.ru/

References:
- Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
  - From: kozan

Prev by Date: Re: LeapFTP .lsq Buffer Overflow Vulnerability
Next by Date: Advisory: iTAN not as secure as claimed
Previous by thread: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users
Next by thread: [USN-172-1] lm-sensors vulnerability
Index(es):
- Date
- Thread