BreachExchange mailing list archives
Eloqua, subscription manager for VMWare, leaks customer info
From: security curmudgeon <jericho () attrition org>
Date: Thu, 14 Apr 2011 00:23:28 -0500 (CDT)
http://andrewmohawk.com/2011/04/13/vmware-user-information-leak/ VMWare User Information Leak This entry was posted on Apr 13 2011 Click here to search the VMWare user database! So last week some time Chris Hadnagy linked me to the following URL: http://info.vmware.com/content/opt-out which was pretty interesting last week. Basically it allowed someone to full in their email address to manage their VMWare subscriptions, i noticed a couple of things from the next pages: * The fields auto populated with details like Name, Phone Number etc (i know, without auth and only an email address . worriedface) * Another tab became available that allowed you to update your details . again, no auth, scary So i whipped out the good old firebug and started looking through the ajax calls till i came across this little gem: [..] http://www.andrewmohawk.com/VMWareScraper/ VMWare/Eloqua leaks your info! Basically Eloqua (the subscription guys for VMWare) are leaking customer info via svrGP.aspx, discovered by Chris Hadnagy and Andrew MacPherson Thanks, Andrew MacPherson (andrew () andrewmohawk com) Email Address [ ] /Search for Info!/ _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Eloqua, subscription manager for VMWare, leaks customer info security curmudgeon (Apr 15)