COMMAND
Audiogalaxy.com mp3 sharing
SYSTEMS AFFECTED
Audiogalaxy.com mp3 sharing
PROBLEM
'altomo' found following. Audiogalaxy.com is a website devoted
to mp3's that ofers a mp3 sharing program.
While this problem will not stop the world or allow the script
kiddies to ./wu their way through us, its a problem none the less.
Versions of Audiogalaxy Satelite software pre .601W for windows
held the username and password for a users account in a plain
text file within the audiogalaxy directory on their system. While
if an intruder gained this information only the list of songs in
the download que (which is stored on the server) would be
compromised, this could have other effects.
Theory one 1. Gain the username and password for a users acct.
Intruder modies the download que so that when the user comes
online they will download a "mp3" from the intruders system. The
mp3 is actually something else. ie. virus or back orifice or
similar program. If the user ran the mp3 directly then of course
the infection would start. --lets examine this a little further.
Evil intruder steals password and username. Edits download que.
User runs fake mp3 which is back orifice. User gets keylogged.
User is goverment employee who telnets (telnet bad) into secure
goverment system. Goverment system not secure anymore. Web site
gets defaced. Oh no the kiddies can use this.
Theory two. 2. Many users use a common password and this is the
point that author brought to Audiogalaxy. While its not their
problem if a user does this, why not help out. If the user had
their Audiogalaxy username and password compromised then its
possible other things get compromised.
SOLUTION
Upgrade to the newest version which has been out for sometime, and
in general use different passwords.
The Linux version has this problem and it has not been fixed. The
.6 series of the program has not been released for Linux as of yet
(currently .52). account.txt is clear text in that version.