Vulnerability Development mailing list archives
Re: Neato Bell Atlantic Feature
From: J Edgar Hoover <zorch () RIGHTEOUS NET>
Date: Mon, 14 Aug 2000 17:58:48 -0700
On Mon, 14 Aug 2000, Russell Berry wrote:
Stop looking at this as a toy to go play with, and start looking for similar breaches in the institutions you all use and warn them accordingly. I fear there is a LOT of this kind of vulnerability going around.
Not trusting data supplied by the client is one of the most basic rules of network security. Trusting the client to process, conceal and return trusted data is a really bad idea. I suspect they didn't want to run the application on the server side for fear of the server being exploited with user defined data... but trusting an application running on the client side brings other problems. Aside from the obvious example of reading 'hidden' fields in source, it is no great leap to edit the javascript and send corrupted data back to the server. This opens the server to the very problem they sought to avoid. Many sites trust variables returned by the client simply because they used javascript to provide a menu and don't allow free form user input... Same problem, you just edit the script and return any value you'd like. P.S., BA/Verizon fixed the site, but not my phone.
Regards, Russell On 14-Aug-00 Seth Cohn wrote:Had someone in BA country check it out. Among other things, it returns name and address for a phone number and also a PUB notation. I wonder if private numbers will also be listed... could be, looks like a db lookup. In which case, a autoscanner could compile a list of private numbers. :( Expect this to go away rsn. Too easy to abuse.Words to Live by... Work like you don't need money, Love like you've never been hurt, Dance like nobody's watching.
Current thread:
- Neato Bell Atlantic Feature J Edgar Hoover (Aug 13)
- Re: Neato Bell Atlantic Feature Chris Tresco (Aug 13)
- Re: Neato Bell Atlantic Feature Seth Cohn (Aug 14)
- Re: Neato Bell Atlantic Feature Russell Berry (Aug 14)
- Re: Neato Bell Atlantic Feature Marc Maiffret (Aug 14)
- Re: Neato Bell Atlantic Feature J Edgar Hoover (Aug 14)
- Re: Neato Bell Atlantic Feature Blue Boar (Aug 14)
- Re: Neato Bell Atlantic Feature Seth Cohn (Aug 14)
- Re: Neato Bell Atlantic Feature Chris Tresco (Aug 13)
- Re: Neato Bell Atlantic Feature Blue Boar (Aug 14)
- <Possible follow-ups>
- Re: Neato Bell Atlantic Feature Stephen Friedl (Aug 14)