[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <605f8e050909011418l3aaefa5i9d9dbb1bfca7f4c7@mail.gmail.com>
Date: Tue, 1 Sep 2009 17:18:57 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Stefan Bauer <stefan.bauer@...ewerk.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Norman Internet Update Deamon sends cleartext license key on
update
Hi Stefan,
> linux norman internet update deamon (niu) sends our
> corporate license key in cleartext over http when the
> first update is triggered.
Similar problems (use of insecure channels) was reported on June 9,
2009 with their Windows software.
Jeff
On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer@...ewerk.de> wrote:
> I just discovered, that the linux norman internet update deamon
> (niu) sends our corporate license key in cleartext over http when
> the first update is triggered. Output of niu --trace shows
>
> SelectNextValServer (1): first: 0
> ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no'
> sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa-
>
> asdfa-asdfa$000020022050205220702072208020822$5'(117)
>
> asdfa-asdfa-asdfa-asdfa-asdfa is our key.
>
> Norman confirmed the bug but did not provide a timeline for any updates.
>
> Regards
>
> --
> cubewerk ------------------------------ stefan.bauer@...ewerk.de
> IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37
> Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551
> 83308 Trostberg -------------------------------- www.cubewerk.de
>
Powered by blists - more mailing lists