[NT] Pc-to-Phone Sensitive Information Disclosure

From: support@securiteam.com
Date: 10/29/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Pc-to-Phone Sensitive Information Disclosure
Message-Id: <20011029065442.D13AF138BF@mail.der-keiler.de>
Date: Mon, 29 Oct 2001 07:54:42 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Pc-to-Phone Sensitive Information Disclosure
------------------------------------------------------------------------

SUMMARY

 <http://www.iconnecthere.com/nonmembers/eng/pc_to_phone_product.html>
PC-to-Phone is a popular service that allows PC users to call other PCs or
Phones and make conversations with them. A security vulnerability in the
product allows local users to see other users' account details (including
account passwords usable for billing purposes) and log of phone calls.

DETAILS

Vulnerable systems:
Pc-to-Phone version 3.0.3

Both the account number and password are stored in a file "temp.html" in
the PC-to-Phone install directory, which is world readable. Any user on a
multi-user system can look up the account number and password of any
currently logged in user (or the last user in case of a program/system
crash).

The same goes for the log and PhoneBook folders, which are shared among
all users on a system.

Vendor response:
--- cut here ---
Dear Mr. Hagen,

I am the Product Manager for PC2Phone, and I wanted you to know that I
received your e-mail and that I sincerely thank you for drawing this issue
to our attention.

Deltathree has rallied around solving this issue, and is committed to
providing a comprehensive and expedient solution. To update you on our
progress, it appears that this bug cannot be addressed by a quick hot fix;
we will need to do some significant development work. We have adjusted our
development priorities accordingly and are committed to releasing a new
version of PC2Phone in the upcoming quarter.

Based on your e-mail, we will have decided to (just this afternoon)
provide different dialers for multi-user and single-user/secure systems.
In the latter, the user will be able to store neither the account nor the
password, thus mitigating the potential security issue you identified. In
the multi-user system, we will ensure that all data is properly secured.

On behalf of all of Deltathree and iConnectHere's customers, I thank you
for bringing this to our attention. Based on user feedback, we are able to
offer ever-improving products and services, and we sincerely appreciate
this opportunity to serve you better.

Sincerely,

Jennifer Alexander
Product Manager, Access Devices
jennifera@deltathree.com
--- cut here ---

ADDITIONAL INFORMATION

The information has been provided by <mailto:art@broomstick.com> Arthur
Hagen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages