Bugtraq mailing list archives
Re: Norman Internet Update Deamon sends cleartext license key on update
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 1 Sep 2009 17:18:57 -0400
Hi Stefan,
linux norman internet update deamon (niu) sends our corporate license key in cleartext over http when the first update is triggered.
Similar problems (use of insecure channels) was reported on June 9, 2009 with their Windows software. Jeff On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer () cubewerk de> wrote:
I just discovered, that the linux norman internet update deamon (niu) sends our corporate license key in cleartext over http when the first update is triggered. Output of niu --trace shows SelectNextValServer (1): first: 0 ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no' sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa- asdfa-asdfa$000020022050205220702072208020822$5'(117) asdfa-asdfa-asdfa-asdfa-asdfa is our key. Norman confirmed the bug but did not provide a timeline for any updates. Regards -- cubewerk ------------------------------ stefan.bauer () cubewerk de IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37 Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551 83308 Trostberg -------------------------------- www.cubewerk.de
Current thread:
- Norman Internet Update Deamon sends cleartext license key on update Stefan Bauer (Sep 01)
- Re: Norman Internet Update Deamon sends cleartext license key on update Jeffrey Walton (Sep 01)