Hyperdose Security Advisory Name: Improper Log file storage in Musicmatch software Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo v9.00.5059 and earlier are also affected) Severity: Moderate Author: Robert Fly - robfly@xxxxxxxxxxxxx Advisory URL: http://www.hyperdose.com/advisories/H2005-02.txt --MusicMatch Description-- >From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find and organize your music, giving you ultimate control of your music experience." In September 04 Musicmatch was purchased by Yahoo! Inc. --Bug Details-- There are several temp and log files stored by Musicmatch, many of which are stored under Program Files. Because log data can contain personal user information, such as what songs they are listening to, this data should be stored under the users own profile. If not users run the risk of inadvertantly exposing information which they may not want others to access. One such example of this is the log file stored in "c:\program files\musicmatch\musicmatch jukebox\mmjblog.txt" which amongst other things contains the songs the user has listened to. --Fix Information-- As of 3/21/05 Yahoo has released a new version which fixes this vulnerability. I have witheld vulnerability details until now so that MusicMatch automatic updates had a chance to propogate. Downloads available here: http://www.musicmatch.com/download/free/security.htm Security FAQ available here: http://www.musicmatch.com/info/user_guide/faq/security_updates.htm --About Hyperdose-- Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle. We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing. web www.hyperdose.com email robfly@xxxxxxxxxxxxx
