lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <605f8e050909011418l3aaefa5i9d9dbb1bfca7f4c7@mail.gmail.com>
Date: Tue, 1 Sep 2009 17:18:57 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Stefan Bauer <stefan.bauer@...ewerk.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Norman Internet Update Deamon sends cleartext license key on 
	update

Hi Stefan,

> linux norman internet update deamon (niu) sends our
> corporate license key in cleartext over http when the
> first update is triggered.
Similar problems (use of insecure channels) was reported on June 9,
2009 with their  Windows software.

Jeff

On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer@...ewerk.de> wrote:
> I just discovered, that the linux norman internet update deamon
> (niu) sends our corporate license key in cleartext over http when
> the first update is triggered. Output of niu --trace shows
>
> SelectNextValServer (1): first: 0
> ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no'
> sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa-
>
>               asdfa-asdfa$000020022050205220702072208020822$5'(117)
>
> asdfa-asdfa-asdfa-asdfa-asdfa is our key.
>
> Norman confirmed the bug but did not provide a timeline for any updates.
>
> Regards
>
> --
> cubewerk ------------------------------ stefan.bauer@...ewerk.de
> IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37
> Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551
> 83308 Trostberg -------------------------------- www.cubewerk.de
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ