COMMAND

    Audiogalaxy.com mp3 sharing

SYSTEMS AFFECTED

    Audiogalaxy.com mp3 sharing

PROBLEM

    'altomo' found following.    Audiogalaxy.com is a website  devoted
    to mp3's that ofers a mp3 sharing program.

    While this  problem will  not stop  the world  or allow the script
    kiddies to ./wu their way through us, its a problem none the less.
    Versions of  Audiogalaxy Satelite  software pre  .601W for windows
    held the  username and  password for  a users  account in  a plain
    text file within the audiogalaxy directory on their system.  While
    if an intruder gained this  information only the list of  songs in
    the  download  que  (which  is  stored  on  the  server)  would be
    compromised, this could have other effects.

    Theory one 1.   Gain the username and  password for a users  acct.
    Intruder  modies  the  download  que  so  that when the user comes
    online they will download a "mp3" from the intruders system.   The
    mp3  is  actually  something  else.  ie.  virus or back orifice or
    similar program.  If the user ran the mp3 directly then of  course
    the infection would start.  --lets examine this a  little further.
    Evil intruder steals password  and username.  Edits  download que.
    User runs fake  mp3 which is  back orifice.   User gets keylogged.
    User is goverment  employee who telnets  (telnet bad) into  secure
    goverment system.  Goverment system not secure anymore.  Web  site
    gets defaced.  Oh no the kiddies can use this.

    Theory two. 2.  Many users  use a common password and this  is the
    point that  author brought  to Audiogalaxy.   While its  not their
    problem if a user  does this, why not  help out.  If  the user had
    their  Audiogalaxy  username  and  password  compromised  then its
    possible other things get compromised.

SOLUTION

    Upgrade to the newest version which has been out for sometime, and
    in general use different passwords.

    The Linux version has this problem and it has not been fixed.  The
    .6 series of the program has not been released for Linux as of yet
    (currently .52).  account.txt is clear text in that version.