Bugtraq mailing list archives
sltrib.com, using nacorp.com's web forms are submitted insecurely, and are clearly promoted as being secure
From: "Jon Zobrist" <kgb () ussr com>
Date: Mon, 21 Jan 2002 15:59:49 -0700
Every web form I can find on their web site is DISPLAYED using SSL, and proudly displays Thawte's logo as being a secure site. These forms contain fields for sensitive personal information, including credit card number. One such form is located at. https://www.nacorp.com/NAC/_private/subscribe_now_SSL.htm However, a simple look at their HTML shows the forms are submitted over a non SSL connection. <form method="POST" action="http://www.nacorp.com/scripts/mailto.exe" onsubmit="return FrontPage_Form1_Validator(this)" name="FrontPage_Form1"> I notified the vendor on January 7, 2002. Initial vendor response was positive, saying they'd look into it. My follow inquiry send January 20, 2002 was replied to with a claim of disagreement. In the interest of allowing the public to protect themselves, I am submitted this to bugtraq, and have notified the local news. A second critic of their security is the actual target of the form is an executable called mailto.exe, and the form includes several hidden fields containing a users email address and a mail server. <input type="hidden" name="sendto" value="service () nacorp com"><input type="hidden" name="server" value="mail.nacorp.com"><table border="1" width="100%"> I suspect this executable could easily be used by malicious persons to send their own messages to whomever they choose, not to mention the personal information being submitted over an insecure medium such as email. Again, I am submitted this to bugtraq with the hopes of helping the vendor in question understand the security flaws in their system which directly affect active customers who put their credit card number on these forms. -Jon Zobrist kgb () bluesun net ----- Original Message ----- From: "John Kunze" <jkunze () nacorp com> To: "Jon Zobrist" <kgb () bluesun net> Sent: Monday, January 21, 2002 3:28 PM Subject: RE: All of your web forms are completely insecure.
Jon: We don't agree with your assessment. We are having an independent third-party ISP evaluate the situation. Regards, John -----Original Message----- From: Jon Zobrist [mailto:kgb () bluesun net] Sent: Sunday, January 20, 2002 3:58 PM To: John Kunze Subject: Re: All of your web forms are completely insecure. It's been a while, I haven't heard anything, and the forms are still insecure. Any update? -Jon ----- Original Message ----- From: "John Kunze" <jkunze () nacorp com> To: "Jon Zobrist" <kgb () bluesun net> Sent: Monday, January 07, 2002 5:46 PM Subject: RE: All of your web forms are completely insecure.Jon: I will look into this issue and get back to you. Regards, John Kunze Sr. Web Developer New Media Department Newspaper Agency Corporation 135 South Main Street Salt Lake City, UT 84111 Phone: (801) 237-2738 Fax: (801) 237-2519 -----Original Message----- From: Jon Zobrist [mailto:kgb () bluesun net] Sent: Monday, January 07, 2002 5:31 PM To: webmaster () nacorp com Subject: All of your web forms are completely insecure. I submitted an ad recently, and almost paid via credit card. I checkedyourhtml to make sure your form was being submitted securely and was very surprised to find that it was not. To make matters worse it appears that your form is sent to an executable which emails the results. This is especially disturbing since the form itself is displayed over an
encrypted
SSL connection, which gives a very false sense of security. I recommendyouat the very least move your mailer redirector to your SSL server and retarget your form to there. Then I recommend you make sure that yourserver is at a very least on the same switched network segment that yourSSLserver is on, this is still not an ideal solution, but at least it's
less
likely to be sniffed. If you are unsure what actions to take, I do consulting in this area and would offer my services to help you, however that is not the primaryreasonfor my mailing you. It is to decrease the likelihood that someone getstheircredit card information stolen from your insecure form submission. Feel free to contact me with any questions you have about my concerns. Idoexpect you to fix the site and if I do not hear from you within 7 daysfromtoday (1/7/02) I will assume you have ignored my concerns and will have
no
choice but to take this information to the public in hopes they canprotectthemselves. Jon Zobrist Security Consultant Bluesun Networks kgb () bluesun net 801-865-9300
Current thread:
- sltrib.com, using nacorp.com's web forms are submitted insecurely, and are clearly promoted as being secure Jon Zobrist (Jan 21)