AOH :: HP Unsorted N :: BT-21593.HTM

Norman Internet Update Deamon sends cleartext license key on update



Norman Internet Update Deamon sends cleartext license key on update
Norman Internet Update Deamon sends cleartext license key on update



I just discovered, that the linux norman internet update deamon
(niu) sends our corporate license key in cleartext over http when
the first update is triggered. Output of niu --trace shows

SelectNextValServer (1): first: 0
ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no'
sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa-

               asdfa-asdfa$000020022050205220702072208020822$5'(117)

asdfa-asdfa-asdfa-asdfa-asdfa is our key.

Norman confirmed the bug but did not provide a timeline for any updates.

Regards

-- 
cubewerk ------------------------------ stefan.bauer@cubewerk.de 
IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37
Herzog-Otto-Stra=DFe 32 ------------------- Fax +49 7211 513 38551
83308 Trostberg -------------------------------- www.cubewerk.de 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.