lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed Mar 22 20:59:11 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: iDefense Security Advisory 03.22.06: WebSurveyor
	/ iDefense Survey Predictable Sequence Number and
	Account	Enumeration	Information
	Disclosure and Possible Cross-Site	Scripting Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
;>

FistFucker wrote:
> Hello Arnaud,
>
> I think the best way to clarify your question is to directly mail
> to iDefense. But I'm sure that they're today a LITTLE BIT angry on
> you. LOL
>
>
> -Manuel Santamarina Suarez aka 'FistFuXXer'
>
>
>
> ad@...poverflow.com wrote:
>>> so that was a fake mail the one subject:
>>>
>>> iDefense VCP Survey - Get a $20 Amazon.com Coupon
>>>
>>> ?
>>>
>>> that was suspicious to me and the fact there is nothing to
>>> check
> if it
>>> was from idefense , didnt replied to it, but do you confirm
>>> that
> was a
>>> scam ?
>>>
>>> Richard Larceny wrote:
>>>>> WebSurveyor / iDefense Survey Predictable Sequence Number
>>>>> and Account Enumeration Information Disclosure and Possible
>>>>> Cross-Site Scripting Vulnerability
>>>>>
>>>>> iDefense Security Advisory 03.22.06
>>>>>
> http://www.idefense.com/application/poi/display?type=vulnerabilities
>
>>>>> March 22, 2006
>>>>>
>>>>> I. BACKGROUND
>>>>>
>>>>> WebSurveyor WebSurveyor 5.7 is an online survey/spam engine
>>>>>  designed to spam clients and partners of small to
>>>>> mid-sized businesses. WebSurveryor collects, stores, and
>>>>> manages the confidential data about products and business
>>>>> processes for hundreds of such companies.
>>>>>
>>>>> More information on this software package can be found on
>>>>> the vendor's site:
>>>>>
>>>>> http://www.websurveyor.com/pricing.asp
>>>>>
>>>>> iDefense is a small to mid-sized business looking to spam
>>>>> clients and partners with surveys. More information about
>>>>> the iDefense product can be found on the vendor's site:
>>>>>
>>>>> http://www.verisign.com
>>>>>
>>>>> II. DESCRIPTION
>>>>>
>>>>> WebSurveyor is subject to an information disclosure attack.
>>>>> The software generates unique, but predictable, identifiers
>>>>> for each survey purchased by customers. Furthermore, the
>>>>> default error condition provides the name and e-mail
>>>>> address of the purchaser of the survey. Due to these design
>>>>> flaws, it is trivial for a remote, unauthenticated
>>>>> cockgobblers to enumerate the e-mail addresses of all
>>>>> WebSurveyor customers.
>>>>>
>>>>> The software is also likely subject to standard cross-site
>>>>> scripting attacks, but these were not explored in depth, as
>>>>>  recently iDefense research scientists have determined that
>>>>> XSS is gay.
>>>>>
>>>>>> From the WebSurveyor Privacy Policy,
>>>>> http://www.websurveyor.com/websurveyor-privacypolicy.asp
>>>>>
>>>>> "Information obtained from visitors and customers will only
>>>>> be used for internal purposes. At no time will we sell,
>>>>> rent, or otherwise distribute your personal information or
>>>>> survey data to a third party."
>>>>>
>>>>> III. ANALYSIS
>>>>>
>>>>> Exploitation involves inserting garbage into a legitimate
>>>>> survey URL. For example, the following URL is a survey
>>>>> intended for iDefense contributors, for which respondents
>>>>> are rewarded with a 20$ Amazon gift card (hurry up and get
>>>>> yours today).
>>>>>
>>>>> https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm
>>>>>
>>>>>
>>>>> By mistyping the URI target,
>>>>>
>>>>>
> https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm
>
>>>>>
>>>>>
>>>>> ..an attacker can learn that this survey is owned by Jason
>>>>> Greenwood jgreenwood@...fense.com.
>>>>>
>>>>> By decrementing the URI path, -here-
>>>>> https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm
>>>>>
>>>>>
>>>>> ..an attacker can learn that the prior survey is owned by
>>>>> Mattias Johansson, bork bork bork.
>>>>>
>>>>> IV. DETECTION
>>>>>
>>>>> This exploit has been tested with a web browser.
>>>>>
>>>>> V. WORKAROUND
>>>>>
>>>>> Don't take the survey.
>>>>>
>>>>> VI. VENDOR RESPONSE
>>>>>
>>>>> No response from WebSurveyor. Here at iDefense we sell all
>>>>> your information to foriegn governments anyway, so no real
>>>>> issue there.
>>>>>
>>>>> VII. CVE INFORMATION
>>>>>
>>>>> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
>>>>> number has not been assigned yet.
>>>>>
>>>>> VIII. DISCLOSURE TIMELINE
>>>>>
>>>>> 03/20/2006 iDefense survey goes live 03/22/2006 Initial
>>>>> public disclosure
>>>>>
>>>>> IX. CREDIT
>>>>>
>>>>> The discoverer of this vulnerability wishes to remain
>>>>> anonymous.
>>>>>
>>>>> Get paid for vulnerability research
>>>>> http://www.idefense.com/poi/teams/vcp.jsp
>>>>>
>>>>> Free tools, research and upcoming events
>>>>> http://labs.idefense.com
>>>>>
>>>>> X. LEGAL NOTICES
>>>>>
>>>>> Disclaimer: The information in the advisory has been deemed
>>>>> as accurate by our crack pot team of monkeys based on
>>>>> currently available FUD. Use of the information constitutes
>>>>> acceptance for use in an AS IS condition. There are no
>>>>> warranties with regard to this information. Neither the
>>>>> author nor the publisher accepts any liability for any
>>>>> direct, indirect, or consequential loss or damage arising
>>>>> from use of, or reliance on, this information.
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it. Charter:
>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
> __________ NOD32 1.1455 (20060322) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEIbqLFJS99fNfR+YRAiQuAKDSpckJZqShxA+RqR+GBsn+/A38cACguw8+
wLs0ku/j9nde5BVQo3Tvq5g=
=UKS/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ