--/ INTRODUCTION  --


/*
 * Advisory           : pgtray mailcheck_plaintext
 * Release Date       : 27. September 2005
 * Application        : pgtray / partyguide.ch mailchecker
 * Impact             : user account passwords can be sniffed
 * Author             : simon[at]blah.ch
 *
 */


--/    SUMMARY    --


To ensure that you're up-to-date with eMails at partyguide, it 
exists a small pgtray application who is checking every 60 seconds 
for new incomming eMails. To authentificate on the server you send 
your password. The vulnerability is that pgtray isn't crypting the 
password, when it has been send. So it is sended in plaintext and 
the server receives it in plaintext, too. So there is no problem 
to sniff the password. A sniffer with some simple filter rules can 
find out partyguide passwords fast and easily. 


--/   REPRODUCE   --

Setting up a filter rule with some easy things like
Protocol: HTTP
Destination: 217.150.245.68

will show you the interesting frame fast and easily.
A successfull sniff will give you an output in the data field like 
this example:

<.>

47 45 54 20 2f 6d 61 69  6c 63 68 65 63 6b 2e 70 GET /mai lcheck.p
68 70 3f 75 3d 7a 39 64  69 61 63 60 26 70 3d 62 hp?u=sim on&p=h
75 66 66 6d 75 74 39 68  48 54 54 50 2f 61 2e 31 3xb1atch

<.>

GET /mailcheck.php?u=simon&p=h3xb1atch HTTP/1.1
Accept: */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: pgtray.partyguide.ch
Connection: Keep-Alive
Cookie: bblastvisit=1122981291; c_ip=217.162.38.236; c_geburtsdatum_jahr=1985; c_plz=3145; c_kanton=BE; c_geschlecht=m

<.>


--     PATCH     /--

There are no possibilities actually as far as we know.