sltrib.com, using nacorp.com's web forms are submitted insecurely, and are clearly promoted as being secure

["Jon Zobrist" <kgb () ussr com>]

Every web form I can find on their web site is DISPLAYED using SSL, and
proudly displays Thawte's logo as being a secure site. These forms contain
fields for sensitive personal information, including credit card number.

One such form is located at.
https://www.nacorp.com/NAC/_private/subscribe_now_SSL.htm

However, a simple look at their HTML shows the forms are submitted over a
non SSL connection.

<form method="POST" action="http://www.nacorp.com/scripts/mailto.exe";
onsubmit="return FrontPage_Form1_Validator(this)" name="FrontPage_Form1">

I notified the vendor on January 7, 2002. Initial vendor response was
positive, saying they'd look into it. My follow inquiry send January 20,
2002 was replied to with a claim of disagreement.

In the interest of allowing the public to protect themselves, I am submitted
this to bugtraq, and have notified the local news.

A second critic of their security is the actual target of the form is an
executable called mailto.exe, and the form includes several hidden fields
containing a users email address and a mail server.
<input type="hidden" name="sendto" value="service () nacorp com"><input
type="hidden" name="server" value="mail.nacorp.com"><table border="1"
width="100%">

I suspect this executable could easily be used by malicious persons to send
their own messages to whomever they choose, not to mention the personal
information being submitted over an insecure medium such as email.

Again, I am submitted this to bugtraq with the hopes of helping the vendor
in question understand the security flaws in their system which directly
affect active customers who put their credit card number on these forms.

-Jon Zobrist
kgb () bluesun net


----- Original Message -----
From: "John Kunze" <jkunze () nacorp com>
To: "Jon Zobrist" <kgb () bluesun net>
Sent: Monday, January 21, 2002 3:28 PM
Subject: RE: All of your web forms are completely insecure.


> Jon:
>
> We don't agree with your assessment. We are having an independent
> third-party ISP evaluate the situation.
>
> Regards,
>
> John
>
>
> -----Original Message-----
> From: Jon Zobrist [mailto:kgb () bluesun net]
> Sent: Sunday, January 20, 2002 3:58 PM
> To: John Kunze
> Subject: Re: All of your web forms are completely insecure.
>
>
> It's been a while, I haven't heard anything, and the forms are still
> insecure. Any update?
>
> -Jon
>
> ----- Original Message -----
> From: "John Kunze" <jkunze () nacorp com>
> To: "Jon Zobrist" <kgb () bluesun net>
> Sent: Monday, January 07, 2002 5:46 PM
> Subject: RE: All of your web forms are completely insecure.
>
>
> > Jon:
> >
> > I will look into this issue and get back to you.
> >
> > Regards,
> >
> > John Kunze
> > Sr. Web Developer
> > New Media Department
> > Newspaper Agency Corporation
> > 135 South Main Street
> > Salt Lake City, UT 84111
> > Phone: (801) 237-2738
> > Fax: (801) 237-2519
> >
> >
> >
> > -----Original Message-----
> > From: Jon Zobrist [mailto:kgb () bluesun net]
> > Sent: Monday, January 07, 2002 5:31 PM
> > To: webmaster () nacorp com
> > Subject: All of your web forms are completely insecure.
> >
> >
> > I submitted an ad recently, and almost paid via credit card. I checked
> your
> > html to make sure your form was being submitted securely and was very
> > surprised to find that it was not. To make matters worse it appears that
> > your form is sent to an executable which emails the results. This is
> > especially disturbing since the form itself is displayed over an
encrypted
> > SSL connection, which gives a very false sense of security. I recommend
> you
> > at the very least move your mailer redirector to your SSL server and
> > retarget your form to there. Then I recommend you make sure that your
> email
> > server is at a very least on the same switched network segment that your
> SSL
> > server is on, this is still not an ideal solution, but at least it's
less
> > likely to be sniffed.
> >
> > If you are unsure what actions to take, I do consulting in this area and
> > would offer my services to help you, however that is not the primary
> reason
> > for my mailing you. It is to decrease the likelihood that someone gets
> their
> > credit card information stolen from your insecure form submission.
> >
> > Feel free to contact me with any questions you have about my concerns. I
> do
> > expect you to fix the site and if I do not hear from you within 7 days
> from
> > today (1/7/02) I will assume you have ignored my concerns and will have
no
> > choice but to take this information to the public in hopes they can
> protect
> > themselves.
> >
> >
> > Jon Zobrist
> > Security Consultant
> > Bluesun Networks
> > kgb () bluesun net
> > 801-865-9300