lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Sep 2009 09:00:42 +0200 From: Stefan Bauer <stefan.bauer@...ewerk.de> To: bugtraq@...urityfocus.com Subject: Norman Internet Update Deamon sends cleartext license key on update I just discovered, that the linux norman internet update deamon (niu) sends our corporate license key in cleartext over http when the first update is triggered. Output of niu --trace shows SelectNextValServer (1): first: 0 ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no' sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa- asdfa-asdfa$000020022050205220702072208020822$5'(117) asdfa-asdfa-asdfa-asdfa-asdfa is our key. Norman confirmed the bug but did not provide a timeline for any updates. Regards -- cubewerk ------------------------------ stefan.bauer@...ewerk.de IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37 Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551 83308 Trostberg -------------------------------- www.cubewerk.de
Powered by blists - more mailing lists