Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =)
I was recently setting up a Nullsoft SHOUTcast server to relay some
content when I noticed the Administrator password is stored plain text in
the configuration file (./sc_serv.conf by default).
The password is also LOGGED when the web based administration tool is
used. It can be obtained by simply grep'ing the logfile output. The
offending line is here:
<08/20/99@06:11:41> [http:1 my.computer.com]
REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98))
Obtaining the Administrator password allows administration via the web
based system, as well has hijacking the content stream going out to
listeners.
Quick fix would be simply chmod the log and config files to prevent world
reading. Nullsoft should of course parse there log output for sensitive
data, and possibly look into UNIX crypt() for its passwords.
-arr0w
---
Mike Damm http://www.dahphish.org/~arrow/
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sometimes I think windows calls DevideByZero();
