Vulnerability

    REDI.exe

Affected

    REDI

Description

    Doug Nakatomi found following.  REDI is a real time stock  trading
    software  used  by  active  traders  to  execute stock orders very
    rapidly.  From their web site (www.redi.com) bullet points of REDI
    include; "Optimal execution, immediate access to maximum liquidity
    and a full view of the marketplace at all times.",  "Consolidated,
    consistent   display   of   all   the   necessary  decision-making
    information and order entry capability.", "One screen has it  all:
    news, charts, order entry, position tracking, and real-time P&L.".

    Many  companies  that  provide  the  software have minimum account
    balances considerably higher than  an average online broker,  many
    are $25,000+.

    Seriousness: Very. Access to  personal accounts and large  amounts
    of money is trivial once read file system access is achieved.

    User name  and password  are stored  in a  clear text  file on the
    users computer every time the user logs in.  The file,  defaulting
    to    E:\Program    Files\SLK\REDI\Logon\StartLog.txt     contains
    information about the programs startup useful for troubleshooting.

Solution

    Vendor  responded  promptly  and  released  a fixed version of the
    software, available from, although  no public notification of  the
    problem  has  been  seen,  and  problem  still  exists in versions
    resold by other companies

        http://www.redi.com/rpdownload.html