lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a950680d0603221119g5c04f487s609a1f511c578848@mail.gmail.com>
Date: Wed Mar 22 20:28:29 2006
From: the.return.of.dicktheft at gmail.com (Richard Larceny)
Subject: iDefense Security Advisory 03.22.06: WebSurveyor
	/ iDefense Survey Predictable Sequence Number and Account
	Enumeration Information Disclosure and Possible Cross-Site
	Scripting Vulnerability

WebSurveyor / iDefense Survey Predictable Sequence
Number and Account Enumeration Information Disclosure
and Possible Cross-Site Scripting Vulnerability

iDefense Security Advisory 03.22.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
March 22, 2006

I. BACKGROUND

WebSurveyor WebSurveyor 5.7 is an online survey/spam engine
designed to spam clients and partners of small to mid-sized
businesses. WebSurveryor collects, stores, and manages the
confidential data about products and business processes for
hundreds of such companies.

More information on this software package can be found on the
vendor's site:

 http://www.websurveyor.com/pricing.asp

iDefense is a small to mid-sized business looking to spam clients and
partners with surveys. More information about the iDefense product can
be found on the vendor's site:

 http://www.verisign.com

II. DESCRIPTION

WebSurveyor is subject to an information disclosure attack. The
software generates unique, but predictable, identifiers
for each survey purchased by customers. Furthermore, the default
error condition provides the name and e-mail address of the purchaser
of the survey. Due to these design flaws, it is trivial for a remote,
unauthenticated cockgobblers to enumerate the e-mail addresses of
all WebSurveyor customers.

The software is also likely subject to standard cross-site scripting
attacks, but these were not explored in depth, as recently iDefense
research scientists have determined that XSS is gay.

>From the WebSurveyor Privacy Policy,
 http://www.websurveyor.com/websurveyor-privacypolicy.asp

"Information obtained from visitors and customers will only be used
for internal purposes. At no time will we sell, rent, or otherwise
distribute your personal information or survey data to a third
party."

III. ANALYSIS

Exploitation involves inserting garbage into a legitimate survey URL.
For example, the following URL is a survey intended for iDefense
contributors, for which respondents are rewarded with a 20$ Amazon
gift card (hurry up and get yours today).

  https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm

By mistyping the URI target,

  https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm

..an attacker can learn that this survey is owned by Jason Greenwood
jgreenwood@...fense.com.

By decrementing the URI path,
                                  -here-
  https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm

..an attacker can learn that the prior survey is owned by Mattias
Johansson, bork bork bork.

IV. DETECTION

This exploit has been tested with a web browser.

V. WORKAROUND

Don't take the survey.

VI. VENDOR RESPONSE

No response from WebSurveyor. Here at iDefense we sell all your
information to foriegn governments anyway, so no real issue there.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

03/20/2006 iDefense survey goes live
03/22/2006 Initial public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Disclaimer: The information in the advisory has been deemed as accurate
by our crack pot team of monkeys based on currently available FUD. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ