[<prev] [next>] [day] [month] [year] [list]
Message-ID: <JIEPJGFPFMFIGBNCPKGGAELEFPAA.BStrauss@acm.org>
Date: Tue, 6 Jul 2004 09:21:43 -0500
From: "Burton M. Strauss III" <BStrauss@....org>
To: <bugtraq@...urityfocus.com>
Subject: xingtone opens server on desktop using undocumented protocol (probably http)
xingtone (www.xingtone.com) is a popular accessory for mobile phone ring
tone creation and download:
"Xingtone's desktop software is easy-to-use, legal, and allows you to create
mobile phone ringtones using digital audio files on your computer - music
clips, sound effects, your child's laugh, your dogs bark, or any sound you
like!"
In the FAQ are these sections:
"How does the file get to my phone?
The section devoted to Using Ringtones describes this process in more
detail. Basically, the audio file is sent directly from your PC to the phone
in the form of an Internet link. During uploading, you will see the status
of the file during transport. Once you see the "RINGING" status, you can
check your phone for the text message. If you see an error such as "Attempt
to Connect Rejected," it is likely that you are operating behind a firewall,
which prevents the text message and file from reaching your phone. Please
try suspending any firewalls or web filters temporarily and try re-sending
the file."
"Why should I do with the text message that arrives on my phone?
The text message tells your phone where your ringtone is located. You must
keep the program open on your desktop in order to receive the text message.
If you upload a ringtone and do not receive a text message on your phone
very soon after that, please right-click on the silver part of the program
and confirm that you have selected the correct phone model and network.
Also, make sure that your coverage area is adequate enough to receive
data/text messages."
Note the "You must keep the program open on your desktop in order to receive
the text message."
When queried as to whether this meant that the desktop program was in fact
running a server and if so, which ports and protocols were being used, the
response was:
"if i told you i`d have to kill you......"
Users are cautioned that they may wish to explore the implications of
running this program. I'm guessing it's running a small web server, but I'm
disinclined to explore further and can't offer any information on which
files are exposed or how secure it is.
-----Burton
Powered by blists - more mailing lists