Re: Mercora IMRadio 4.0.0.0 Discloses Passwords to Local Users

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear kozan () spyinstructors com,

There  is no bug, at least described one. Only current user or user with
administrative privileges can access HKEY_CURRENT_USER.


--Tuesday, August 23, 2005, 5:20:16 PM, you wrote to bugtraq () securityfocus com:


ksc> Mercora IMRadio 4.0.0.0 stores username and passwords in the Windows
ksc> Registry in plain text. A local user can read the values.

ksc> HKEY_CURRENT_USER\Software\Mercora\MercoraClient\Profiles
ksc> Auto.Username = Mercora IMRadio Username
ksc> Auto.Password = Mercora IMRadio Password



-- 
~/ZARAZA
http://www.security.nnov.ru/