Re: iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability

["ad () heapoverflow com" <ad () heapoverflow com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
so that was a fake mail the one subject:

iDefense VCP Survey - Get a $20 Amazon.com Coupon

?

that was suspicious to me and the fact there is nothing to check if it
was from idefense , didnt replied to it, but do you confirm that was a
scam ?

Richard Larceny wrote:
> WebSurveyor / iDefense Survey Predictable Sequence Number and
> Account Enumeration Information Disclosure and Possible Cross-Site
> Scripting Vulnerability
>
> iDefense Security Advisory 03.22.06
> http://www.idefense.com/application/poi/display?type=vulnerabilities
>  March 22, 2006
>
> I. BACKGROUND
>
> WebSurveyor WebSurveyor 5.7 is an online survey/spam engine
> designed to spam clients and partners of small to mid-sized
> businesses. WebSurveryor collects, stores, and manages the
> confidential data about products and business processes for
> hundreds of such companies.
>
> More information on this software package can be found on the
> vendor's site:
>
> http://www.websurveyor.com/pricing.asp
>
> iDefense is a small to mid-sized business looking to spam clients
> and partners with surveys. More information about the iDefense
> product can be found on the vendor's site:
>
> http://www.verisign.com
>
> II. DESCRIPTION
>
> WebSurveyor is subject to an information disclosure attack. The
> software generates unique, but predictable, identifiers for each
> survey purchased by customers. Furthermore, the default error
> condition provides the name and e-mail address of the purchaser of
> the survey. Due to these design flaws, it is trivial for a remote,
> unauthenticated cockgobblers to enumerate the e-mail addresses of
> all WebSurveyor customers.
>
> The software is also likely subject to standard cross-site
> scripting attacks, but these were not explored in depth, as
> recently iDefense research scientists have determined that XSS is
> gay.
>
> > From the WebSurveyor Privacy Policy,
> http://www.websurveyor.com/websurveyor-privacypolicy.asp
>
> "Information obtained from visitors and customers will only be used
>  for internal purposes. At no time will we sell, rent, or otherwise
>  distribute your personal information or survey data to a third
> party."
>
> III. ANALYSIS
>
> Exploitation involves inserting garbage into a legitimate survey
> URL. For example, the following URL is a survey intended for
> iDefense contributors, for which respondents are rewarded with a
> 20$ Amazon gift card (hurry up and get yours today).
>
> https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm
>
> By mistyping the URI target,
>
> https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm
>
>
> ..an attacker can learn that this survey is owned by Jason
> Greenwood jgreenwood () idefense com.
>
> By decrementing the URI path, -here-
> https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm
>
> ..an attacker can learn that the prior survey is owned by Mattias
> Johansson, bork bork bork.
>
> IV. DETECTION
>
> This exploit has been tested with a web browser.
>
> V. WORKAROUND
>
> Don't take the survey.
>
> VI. VENDOR RESPONSE
>
> No response from WebSurveyor. Here at iDefense we sell all your
> information to foriegn governments anyway, so no real issue there.
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has
> not been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 03/20/2006 iDefense survey goes live 03/22/2006 Initial public
> disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> Free tools, research and upcoming events http://labs.idefense.com
>
> X. LEGAL NOTICES
>
> Disclaimer: The information in the advisory has been deemed as
> accurate by our crack pot team of monkeys based on currently
> available FUD. Use of the information constitutes acceptance for
> use in an AS IS condition. There are no warranties with regard to
> this information. Neither the author nor the publisher accepts any
> liability for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEIbZdFJS99fNfR+YRApmlAKCw/Pi3M6XKaApRp24ozyih34zC5wCgsgz7
sxJfY8948jvNfzylGD9ncv4=
=MMQc
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/