Bugtraq mailing list archives

Re: Norman Internet Update Deamon sends cleartext license key on update

From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 1 Sep 2009 17:18:57 -0400

Hi Stefan,

linux norman internet update deamon (niu) sends our
corporate license key in cleartext over http when the
first update is triggered.

Similar problems (use of insecure channels) was reported on June 9,
2009 with their  Windows software.

Jeff

On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer () cubewerk de> wrote:

I just discovered, that the linux norman internet update deamon
(niu) sends our corporate license key in cleartext over http when
the first update is triggered. Output of niu --trace shows

SelectNextValServer (1): first: 0
ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no'
sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa-

              asdfa-asdfa$000020022050205220702072208020822$5'(117)

asdfa-asdfa-asdfa-asdfa-asdfa is our key.

Norman confirmed the bug but did not provide a timeline for any updates.

Regards

--
cubewerk ------------------------------ stefan.bauer () cubewerk de
IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37
Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551
83308 Trostberg -------------------------------- www.cubewerk.de

Current thread:

Norman Internet Update Deamon sends cleartext license key on update Stefan Bauer (Sep 01)
- Re: Norman Internet Update Deamon sends cleartext license key on update Jeffrey Walton (Sep 01)