Bugtraq mailing list archives
Re: Plain Text Password Vulnerability in Winamp 2.80
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Mon, 20 May 2002 18:49:35 -0700 (PDT)
I don't think winamp people ever intended to introduce MD5 or SHA1 hashes for saving passwords, or did they? It is very well a bug if winamp does not prompt or adds a tick mark saying something like "Save Password", but If it does and you have tried it by clicking on it, then I guess it is pretty much intended to act in such manner. Currently do not have access to winamp, else I would've checked. =) Best Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk voice: 92-21-4980523 92-21-4974781 "Great is the Art of beginning, but Greater is the Art of ending. " ------BEGIN GEEK CODE BLOCK---- Version: 3.1 GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ ------END GEEK CODE BLOCK------ --- isox () chainsawbeer com wrote:
When a URL's is streamed in winamp which requires HTTP authentication, the user is prompted to enter a username and password. This username and password is then stored as plain text in the file winamp.ini under the section [HTTP-AUTH]. The format of stored passwords (it seems) is <domain - TLD>=<username>:<password>. URL's which are streamed are also kept as history in the winamp.ini file under the [winamp] section. This includes URL's which include the username/password in them (ie, http://username:password@site). This was verified in Winamp 2.80 on Windows XP. - isox
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net http://www.everyone.net/?btn=tag
Current thread:
- Plain Text Password Vulnerability in Winamp 2.80 isox (May 20)
- <Possible follow-ups>
- Re: Plain Text Password Vulnerability in Winamp 2.80 Muhammad Faisal Rauf Danka (May 21)