Snapstream Personal Video Station Plaintext Password Storage

vendor:

Personal Video Station

by:

SecurityFocus

7.5

CVSS

HIGH

Plaintext Password Storage

259

CWE

Product Name: Personal Video Station

Affected Version From: All versions

Affected Version To: All versions

Patch Exists: No

Related CWE: CVE-2001-0753

CPE: a:snapstream_media:personal_video_station

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2001

Snapstream Personal Video Station Plaintext Password Storage

Snapstream Personal Video Station stores passwords and user information in plaintext format. This information can be obtained remotely by exploiting the issue discussed as Bugtraq ID 3100.

Mitigation:

Users should ensure that the Snapstream Personal Video Station is not accessible from the Internet.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3101/info

Snapstream Personal Video Station is an application for Microsoft Windows which allows users to record video output on their PC and view it at a later time, locally or via an HTTP interface. The Snapstream PVS web interface runs on port 8129.

The PVS service stores passwords and user information in plaintext format. Additional information is also contained in the same file which stores passwords, such as the location of the base directory for the service.

This would normally only be a local issue but in combination with other known vulnerabilities the file which stores passwords and user information is easily obtained.

Due to the issue discussed as Bugtraq ID 3100, the passwords can be disclosed to remote attackers. 

http://home.victim.com:8080/../ssd.ini