PowWow is a network communications tool by Tribal Voice, similar to ICQ or AOL Instant Messenger. PowWow contains several vulnerabilities whereby a user's PowWow password can be obtained by an attacker. The first vulnerability involves the powwow.ini file, where a user's name and password are stored in plaintext. This file can be found at C:\windows\powwow.ini on Win9x platforms and at C:\winnt\powwow.ini on NT machines. The entries look like this: LOCALNAME:user @ server.com LOCALPASS:user's_password The second vulnerability is related to how PowWow transmits the password to the PowWow server to authenticate the user in various operations, mostly related to listings in the PowWow white pages. The password is sent via the URL, in plaintext, meaning it is accessible visibly from the address bar or (later) the history list of the browser being used, as well as via sniffing at any intermediary point on the network. For example, the URL used to remove oneself from the White pages...
PowWow is a network communications tool by Tribal Voice, similar to ICQ or AOL Instant Messenger. PowWow contains several vulnerabilities whereby a user's PowWow password can be obtained by an attacker. The first vulnerability involves the powwow.ini file, where a user's name and password are stored in plaintext. This file can be found at C:\windows\powwow.ini on Win9x platforms and at C:\winnt\powwow.ini on NT machines. The entries look like this: LOCALNAME:user @ server.com LOCALPASS:user's_password The second vulnerability is related to how PowWow transmits the password to the PowWow server to authenticate the user in various operations, mostly related to listings in the PowWow white pages. The password is sent via the URL, in plaintext, meaning it is accessible visibly from the address bar or (later) the history list of the browser being used, as well as via sniffing at any intermediary point on the network. For example, the URL used to remove oneself from the White pages listing is: http ://ww2.tribal.com/white_pages/RemoveWpfromPow.cfm?PowID=user @ server.com&Pswd=user's_password The third vulnerability is in Tribal Voice's free email service for PowWow users. During the sign-up process, the user's password is displayed back to them in a web page, which once again can be viewed by anyone in the vicinity or retrieved via sniffing or the browser's local cache. Also, this free email service allows the option of having it log into a POP server elsewhere as the user, retrieving your mail, and presenting it to you in your PowWow inbox. To do this, you enter the info for your POP account into a web form at Tribal Voice, and they store it at the server for later use. This means that the user's password is stored remotely (encryption/security practices unknown), which leads to two problems: 1) If the Tribal Voice server is compromised, all users using this option could have their POP accounts elsewhere compromised as well. 2) Attackers could use this service to remotely access POP accounts they have hacked/obtained, with an added level of anonymity.
