Date: Tue, 18 May 1999 04:09:22 +0200
From: Ulandron <ulandron@undersec.com>
To: BUGTRAQ@netspace.org
Subject: Creative Video Blaster Webcam stores passwords in plaintext

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this is my first post to bugtraq, so excuse me if this is already known.
After a quick search through the bugtraq archives, I didn't find
anything related to this issue so I thought users should know about this.
I don't know if this belongs here after aleph's recent post about "Secure
Storage of Secrets in Windows".

The passwords for the ftp account where the images are going to be
uploaded are stored in plain text in the file /%windir%/sysdat.dll, i.e.
c:\windows\sysdat.dll and they look like this:

[Web]
FTPUserName=foo
FTPUserPWD=bar

This problem affects both versions 1.0 and 1.1 of this software.

Creative Labs Spain has been notified, and they answered they don't
support neither freeware or OEM products.

ulandron

- ---------------------------------------------------------------------
Ulandron [ulandron@undersec.com] UIN #16059242 http://www.undersec.com
Key-ID: 1024D/CF42B63F available at http://undersec.com/members/
Key fingerprint = 9A69 EC5B 2193 9F71 CD2C D6E7 3DD2 483C CF42 B63F


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE3QMviPdJIPM9Ctj8RAvAlAJ9hWjSYIcrN3nOvTMHQ6+EPRs6XXACbBNGO
YuOKLkYv/qoPGQF9XNX78C4=
=Xmdn
-----END PGP SIGNATURE-----