COMMAND

    VolanoChatPro

SYSTEMS AFFECTED

    VolanoChatPro

PROBLEM

    "K, KRazY"  found following.   VolanoChatPro, a  widely used  chat
    server  on  the  Internet,  allows  anyone  with  access  to   the
    filesystem to obtain chat server admin access.

    In the directory where VolanoChatPro is installed, there is a file
    named  "properties.txt".   This  file  stores  the  config for the
    server, including the value of server.password and admin.password.
    After install, the permissions on this file are "-rw-r--r--".

SOLUTION

    If you're running on a  multi-user system where others have  login
    accounts, then  of course,  you should  change the  permissions so
    that other users can't read the file.  The VolanoChat server  will
    leave the permissions as you define them.  For example, you  could
    set it to:

        chmod 600 properties.txt

    That will set it so only the userid under which you installed  and
    start the VolanoChat  server can read  the file.   Also, make sure
    that the files are not publically available under your web  server
    directories.