Bugtraq mailing list archives

Plain Text Password Vulnerability in Winamp 2.80

From: isox () chainsawbeer com
Date: 19 May 2002 04:41:33 -0000

When a URL's is streamed in winamp which requires HTTP authentication, the user is prompted to enter a username and 
password.  This username and password is then stored as plain text in the file winamp.ini under the section 
[HTTP-AUTH].  The format of stored passwords (it seems) is <domain - TLD>=<username>:<password>.
 
URL's which are streamed are also kept as history in the winamp.ini file under the [winamp] section.  This includes 
URL's which include the username/password in them (ie, http://username:password@site).
 
This was verified in Winamp 2.80 on Windows XP.
 
- isox

Current thread:

Plain Text Password Vulnerability in Winamp 2.80 isox (May 20)
- <Possible follow-ups>
- Re: Plain Text Password Vulnerability in Winamp 2.80 Muhammad Faisal Rauf Danka (May 21)