| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Sep 2009 17:18:57 -0400 From: Jeffrey Walton <noloader@...il.com> To: Stefan Bauer <stefan.bauer@...ewerk.de> Cc: bugtraq@...urityfocus.com Subject: Re: Norman Internet Update Deamon sends cleartext license key on update Hi Stefan, > linux norman internet update deamon (niu) sends our > corporate license key in cleartext over http when the > first update is triggered. Similar problems (use of insecure channels) was reported on June 9, 2009 with their Windows software. Jeff On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer@...ewerk.de> wrote: > I just discovered, that the linux norman internet update deamon > (niu) sends our corporate license key in cleartext over http when > the first update is triggered. Output of niu --trace shows > > SelectNextValServer (1): first: 0 > ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no' > sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa- > > asdfa-asdfa$000020022050205220702072208020822$5'(117) > > asdfa-asdfa-asdfa-asdfa-asdfa is our key. > > Norman confirmed the bug but did not provide a timeline for any updates. > > Regards > > -- > cubewerk ------------------------------ stefan.bauer@...ewerk.de > IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37 > Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551 > 83308 Trostberg -------------------------------- www.cubewerk.de >
Powered by blists - more mailing lists