Bugtraq mailing list archives
Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)
From: "K, KRazY" <krazy-k () shell acadiacom net>
Date: Tue, 7 Nov 2000 08:56:08 -0600
I would like to apologize for the misunderstanding between myself and Volano LLC. I don't understand what happened to the network that prevented me from receiving their email. I used a real address that I receive tons of mail to everyday. I was unaware of any network problem on the days that the vendor attempted to contact me. I am in no way attempting to "threaten" the vendor. I always work with the vendor when they respond and understand now that Volano did attempt to respond. I don't understand how Carel Neffenger can say "... obviously not a security issue, and is a simple matter of directory and file permissions." Normally files that are installed by a product are locked down or there is a section in the documentation to cover a secure configuration. The issue is now understood so admins can configure securely (currently some are not). Thanks! KraZY-k On Mon, 6 Nov 2000, Volano Support wrote:
Hello Brad: The reply to this person's email is below. Also, as you can see, numerous attempts, from August 2-9, were made to send to this person's email address. However, each and every attempt returned a permanent fatal error with their email address. We reply promptly to all emails. However, we cannot assist when erroneous email addresses are provided. It is unfortunate that we were "threatened" by this person about "going public" with what is obviously not a security issue, and is a simple matter of directory and file permissions. If you are a member of this list, please notify others to use valid email addresses if they expect a response. Sincerely, Carel Neffenger-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of K, KRazY Sent: Sunday, November 05, 2000 9:54 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Filesystem Access + VolanoChat = VChat admin (fwd) Title: VolanoChatPro stores plain text password in a publicly accessible file. Date: November 4, 2000 Risk: Low. No system privileges are granted. Vendor Site: http://www.volano.com ================================================= VolanoChatPro, a widely used chat server on the Internet, allows anyone with access to the filesystem to obtain chat server admin access. In the directory where VolanoChatPro is installed, there is a file named "properties.txt". This file stores the config for the server, including the value of server.password and admin.password. After install, the permissions on this file are "-rw-r--r--". I contacted the vendor on August 2, 2000 and have gotten no response. I think a workaround would be to change the permissions so that only the owner can read the file. I asked the vendor if this would cause any other problems or if the product would reset the permissions and got no response. This is not addressed in documentation. I was saddened to see that the company lists many high profile customers (Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See http://www.volano.com/customers.html), but wouldn't respond to a security email. .:Shout outs to:. - /* Commander Crash */ -- Driver, pull over at the next cross-over. - ScanmanDate: Wed, 9 Aug 2000 11:47:41 -0800 To: krazy-k () acadiacom net From: Volano Support <support () volano com> Subject: Fwd: Returned mail: Cannot send message within 5 days Cc: Bcc: X-Attachments:Date: Wed, 9 Aug 2000 09:11:56 -0700 From: Mail Delivery Subsystem <MAILER-DAEMON () server1 volano com> To: <support () volano com> Subject: Returned mail: Cannot send message within 5 days Auto-Submitted: auto-generated (failure) The original message was received at Fri, 4 Aug 2000 08:21:42 -0700 from vp029.dds01.sea.blarg.net [206.124.137.29] ----- The following addresses had permanent fatal errors ----- <krazy-k () shell acadiacom net> ----- Transcript of session follows ----- <krazy-k () shell acadiacom net>... Deferred: Name server: shell.acadiacom.net.: host name lookup failure Message could not be delivered for 5 days Message will be deleted from queue Reporting-MTA: dns; server1.volano.com Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700 Final-Recipient: RFC822; krazy-k () shell acadiacom net Action: failed Status: 4.4.7 Remote-MTA: DNS; shell.acadiacom.net Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700 Return-Path: <support () volano com> Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29]) by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229 for <krazy-k () shell acadiacom net>; Fri, 4 Aug 2000 08:21:42 -0700 Mime-Version: 1.0 X-Sender: support () mail volano com (Unverified) Message-Id: <p04320409b5b08cf19c26@[216.225.114.67]> In-Reply-To: <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net> References: <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net> Date: Fri, 4 Aug 2000 08:09:55 -0700 To: krazy-k () shell acadiacom net From: Volano Support <support () volano com> Subject: Re: Security: Telnet + VChat = VChat admin (fwd) Content-Type: text/plain; charset="us-ascii" ; format="flowed" Hello: The email address you supply is being returned as undeliverable. Below is a forward of my email from Wednesday.Date: Wed, 2 Aug 2000 10:07:42 -0700 To: krazy-k () shell acadiacom net From: Volano Support <support () volano com> Subject: Re: Security: Telnet + VChat = VChat admin Cc: Bcc: X-Attachments:Hi. I took a quick look at your VolanoChatPro product. I noticed that your product sets the file properties.txt with the following permissions, "-rw-r--r--". Since this file is readable by anyone, it is possible for anyone with filesytem access to read the file and obtain the value of server.password and admin.password. Once someone has these, obviously bad things can happen. I didn't see this issue addressed in online documentation. Are there any plans to fix this? If I manually set the permissions, will your product change the permission back to "-rw-r--r--" or can I rely on the permissions staying the same? Thanks.If you're running on a multi-user system where others have login accounts, then of course, you should change the permissions so that other users can't read the file. The VolanoChat server will leave the permissions as you define them. For example, you could set it to: chmod 600 properties.txt That will set it so only the userid under which you installed and start the VolanoChat server can read the file. Also, make sure that the files are not publically available under your web server directories. Sincerely, Carel NeffengerI have heard no response from you. I will go public in 2 weeks. ---------- Forwarded message ---------- Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT) From: krazy-k () shell acadiacom net To: support () volano com Cc: security () volano com Subject: Security: Telnet + VChat = VChat admin Hi. I took a quick look at your VolanoChatPro product. I noticed that your product sets the file properties.txt with the following permissions, "-rw-r--r--". Since this file is readable by anyone, it is possible for anyone with filesytem access to read the file and obtain the value of server.password and admin.password. Once someone has these, obviously bad things can happen. I didn't see this issue addressed in online documentation. Are there any plans to fix this? If I manually set the permissions, will your product change the permission back to "-rw-r--r--" or can I rely on the permissions staying the same? Thanks.-- ------------------------------------------------------------------ Volano LLC 331 Andover Park East, #240, Seattle, WA 98188-7601 tel (206) 575-9129 fax (909) 498-9986 mailto:support () volano com Volano LLC Home Page http://www.volano.com/ Volano Chat Administrator Guides: http://www.volano.com/documentation.html-- -------------------------------------------------------- Volano LLC 331 Andover Park East, #240, Seattle, WA 98188-7601 tel (206) 575-9129 -- fax (909) 498-9986 mailto:support () volano com Volano LLC Home Page http://www.volano.com/ Volano Chat Administrator Guides: http://www.volano.com/documentation.html
Current thread:
- Filesystem Access + VolanoChat = VChat admin (fwd) K, KRazY (Nov 06)
- <Possible follow-ups>
- Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd) Volano Support (Nov 07)
- Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd) K, KRazY (Nov 08)