Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Wed, 22 Mar 2006 21:58:51 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
;>

FistFucker wrote:

Hello Arnaud,

I think the best way to clarify your question is to directly mail
to iDefense. But I'm sure that they're today a LITTLE BIT angry on
you. LOL


-Manuel Santamarina Suarez aka 'FistFuXXer'



ad () heapoverflow com wrote:

so that was a fake mail the one subject:

iDefense VCP Survey - Get a $20 Amazon.com Coupon

?

that was suspicious to me and the fact there is nothing to
check

if it

was from idefense , didnt replied to it, but do you confirm
that

was a

scam ?

Richard Larceny wrote:

WebSurveyor / iDefense Survey Predictable Sequence Number
and Account Enumeration Information Disclosure and Possible
Cross-Site Scripting Vulnerability

iDefense Security Advisory 03.22.06


http://www.idefense.com/application/poi/display?type=vulnerabilities


March 22, 2006

I. BACKGROUND

WebSurveyor WebSurveyor 5.7 is an online survey/spam engine
 designed to spam clients and partners of small to
mid-sized businesses. WebSurveryor collects, stores, and
manages the confidential data about products and business
processes for hundreds of such companies.

More information on this software package can be found on
the vendor's site:

http://www.websurveyor.com/pricing.asp

iDefense is a small to mid-sized business looking to spam
clients and partners with surveys. More information about
the iDefense product can be found on the vendor's site:

http://www.verisign.com

II. DESCRIPTION

WebSurveyor is subject to an information disclosure attack.
The software generates unique, but predictable, identifiers
for each survey purchased by customers. Furthermore, the
default error condition provides the name and e-mail
address of the purchaser of the survey. Due to these design
flaws, it is trivial for a remote, unauthenticated
cockgobblers to enumerate the e-mail addresses of all
WebSurveyor customers.

The software is also likely subject to standard cross-site
scripting attacks, but these were not explored in depth, as
 recently iDefense research scientists have determined that
XSS is gay.


From the WebSurveyor Privacy Policy,

http://www.websurveyor.com/websurveyor-privacypolicy.asp

"Information obtained from visitors and customers will only
be used for internal purposes. At no time will we sell,
rent, or otherwise distribute your personal information or
survey data to a third party."

III. ANALYSIS

Exploitation involves inserting garbage into a legitimate
survey URL. For example, the following URL is a survey
intended for iDefense contributors, for which respondents
are rewarded with a 20$ Amazon gift card (hurry up and get
yours today).

https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm


By mistyping the URI target,



https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm




..an attacker can learn that this survey is owned by Jason
Greenwood jgreenwood () idefense com.

By decrementing the URI path, -here-
https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm


..an attacker can learn that the prior survey is owned by
Mattias Johansson, bork bork bork.

IV. DETECTION

This exploit has been tested with a web browser.

V. WORKAROUND

Don't take the survey.

VI. VENDOR RESPONSE

No response from WebSurveyor. Here at iDefense we sell all
your information to foriegn governments anyway, so no real
issue there.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

03/20/2006 iDefense survey goes live 03/22/2006 Initial
public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain
anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Disclaimer: The information in the advisory has been deemed
as accurate by our crack pot team of monkeys based on
currently available FUD. Use of the information constitutes
acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.

_______________________________________________
Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/



__________ NOD32 1.1455 (20060322) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEIbqLFJS99fNfR+YRAiQuAKDSpckJZqShxA+RqR+GBsn+/A38cACguw8+
wLs0ku/j9nde5BVQo3Tvq5g=
=UKS/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: