Title: Tribal Voice PowWow Password Vulnerabilities
Severity: MODERATE
Description:
PowWow is a network communications tool by Tribal Voice, similar to ICQ or AOL Instant Messenger. PowWow contains several vulnerabilities whereby a user's PowWow password can be obtained by an attacker.
The first vulnerability involves the powwow.ini file, where a user's name and password are stored in plaintext. This file can be found at C:\windows\powwow.ini on Win9x platforms and at C:\winnt\powwow.ini on NT machines. The entries look like this:
LOCALNAME:user @ server.com
LOCALPASS:user's_password
The second vulnerability is related to how PowWow transmits the password to the PowWow server to authenticate the user in various operations, mostly related to listings in the PowWow white pages. The password is sent via the URL, in plaintext, meaning it is accessible visibly from the address bar or (later) the history list of the browser being used, as well as via sniffing at any intermediary point on the network. For example, the URL used to remove oneself from the White pages listing is:
http ://ww2.tribal.com/white_pages/RemoveWpfromPow.cfm?PowID=user @ server.com&Pswd=user's_password
The third vulnerability is in Tribal Voice's free email service for PowWow users. During the sign-up process, the user's password is displayed back to them in a web page, which once again can be viewed by anyone in the vicinity or retrieved via sniffing or the browser's local cache.
Also, this free email service allows the option of having it log into a POP server elsewhere as the user, retrieving your mail, and presenting it to you in your PowWow inbox. To do this, you enter the info for your POP account into a web form at Tribal Voice, and they store it at the server for later use. This means that the user's password is stored remotely (encryption/security practices unknown), which leads to two problems: 1) If the Tribal Voice server is compromised, all users using this option could have their POP accounts elsewhere compromised as well. 2) Attackers could use this service to remotely access POP accounts they have hacked/obtained, with an added level of anonymity.
Affected Products:
- Tribal Voice PowWow 3.73.0
References:
- Tribal Voice: Tribal Voice Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
