| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 22 20:57:10 2006 From: FistFuXXer at gmx.de (FistFucker) Subject: iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Arnaud, I think the best way to clarify your question is to directly mail to iDefense. But I'm sure that they're today a LITTLE BIT angry on you. LOL - -Manuel Santamarina Suarez aka 'FistFuXXer' ad@...poverflow.com wrote: > so that was a fake mail the one subject: > > iDefense VCP Survey - Get a $20 Amazon.com Coupon > > ? > > that was suspicious to me and the fact there is nothing to check if it > was from idefense , didnt replied to it, but do you confirm that was a > scam ? > > Richard Larceny wrote: >>> WebSurveyor / iDefense Survey Predictable Sequence Number and >>> Account Enumeration Information Disclosure and Possible Cross-Site >>> Scripting Vulnerability >>> >>> iDefense Security Advisory 03.22.06 >>> http://www.idefense.com/application/poi/display?type=vulnerabilities >>> March 22, 2006 >>> >>> I. BACKGROUND >>> >>> WebSurveyor WebSurveyor 5.7 is an online survey/spam engine >>> designed to spam clients and partners of small to mid-sized >>> businesses. WebSurveryor collects, stores, and manages the >>> confidential data about products and business processes for >>> hundreds of such companies. >>> >>> More information on this software package can be found on the >>> vendor's site: >>> >>> http://www.websurveyor.com/pricing.asp >>> >>> iDefense is a small to mid-sized business looking to spam clients >>> and partners with surveys. More information about the iDefense >>> product can be found on the vendor's site: >>> >>> http://www.verisign.com >>> >>> II. DESCRIPTION >>> >>> WebSurveyor is subject to an information disclosure attack. The >>> software generates unique, but predictable, identifiers for each >>> survey purchased by customers. Furthermore, the default error >>> condition provides the name and e-mail address of the purchaser of >>> the survey. Due to these design flaws, it is trivial for a remote, >>> unauthenticated cockgobblers to enumerate the e-mail addresses of >>> all WebSurveyor customers. >>> >>> The software is also likely subject to standard cross-site >>> scripting attacks, but these were not explored in depth, as >>> recently iDefense research scientists have determined that XSS is >>> gay. >>> >>>> From the WebSurveyor Privacy Policy, >>> http://www.websurveyor.com/websurveyor-privacypolicy.asp >>> >>> "Information obtained from visitors and customers will only be used >>> for internal purposes. At no time will we sell, rent, or otherwise >>> distribute your personal information or survey data to a third >>> party." >>> >>> III. ANALYSIS >>> >>> Exploitation involves inserting garbage into a legitimate survey >>> URL. For example, the following URL is a survey intended for >>> iDefense contributors, for which respondents are rewarded with a >>> 20$ Amazon gift card (hurry up and get yours today). >>> >>> https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm >>> >>> By mistyping the URI target, >>> >>> https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm >>> >>> >>> ..an attacker can learn that this survey is owned by Jason >>> Greenwood jgreenwood@...fense.com. >>> >>> By decrementing the URI path, -here- >>> https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm >>> >>> ..an attacker can learn that the prior survey is owned by Mattias >>> Johansson, bork bork bork. >>> >>> IV. DETECTION >>> >>> This exploit has been tested with a web browser. >>> >>> V. WORKAROUND >>> >>> Don't take the survey. >>> >>> VI. VENDOR RESPONSE >>> >>> No response from WebSurveyor. Here at iDefense we sell all your >>> information to foriegn governments anyway, so no real issue there. >>> >>> VII. CVE INFORMATION >>> >>> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has >>> not been assigned yet. >>> >>> VIII. DISCLOSURE TIMELINE >>> >>> 03/20/2006 iDefense survey goes live 03/22/2006 Initial public >>> disclosure >>> >>> IX. CREDIT >>> >>> The discoverer of this vulnerability wishes to remain anonymous. >>> >>> Get paid for vulnerability research >>> http://www.idefense.com/poi/teams/vcp.jsp >>> >>> Free tools, research and upcoming events http://labs.idefense.com >>> >>> X. LEGAL NOTICES >>> >>> Disclaimer: The information in the advisory has been deemed as >>> accurate by our crack pot team of monkeys based on currently >>> available FUD. Use of the information constitutes acceptance for >>> use in an AS IS condition. There are no warranties with regard to >>> this information. Neither the author nor the publisher accepts any >>> liability for any direct, indirect, or consequential loss or damage >>> arising from use of, or reliance on, this information. >>> >>> _______________________________________________ Full-Disclosure - >>> We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and >>> sponsored by Secunia - http://secunia.com/ >>> >>> >>> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEIboCPF/cBnCBnL0RAs7EAJ0T7RtMBJp3sI5EUFMZrBohBiN6/ACeONTI bpmf/K8Qy9F1i+jYg0owMaU= =bmw1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists