Full Disclosure mailing list archives
iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability
From: "Richard Larceny" <the.return.of.dicktheft () gmail com>
Date: Wed, 22 Mar 2006 13:19:06 -0600
WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability iDefense Security Advisory 03.22.06 http://www.idefense.com/application/poi/display?type=vulnerabilities March 22, 2006 I. BACKGROUND WebSurveyor WebSurveyor 5.7 is an online survey/spam engine designed to spam clients and partners of small to mid-sized businesses. WebSurveryor collects, stores, and manages the confidential data about products and business processes for hundreds of such companies. More information on this software package can be found on the vendor's site: http://www.websurveyor.com/pricing.asp iDefense is a small to mid-sized business looking to spam clients and partners with surveys. More information about the iDefense product can be found on the vendor's site: http://www.verisign.com II. DESCRIPTION WebSurveyor is subject to an information disclosure attack. The software generates unique, but predictable, identifiers for each survey purchased by customers. Furthermore, the default error condition provides the name and e-mail address of the purchaser of the survey. Due to these design flaws, it is trivial for a remote, unauthenticated cockgobblers to enumerate the e-mail addresses of all WebSurveyor customers. The software is also likely subject to standard cross-site scripting attacks, but these were not explored in depth, as recently iDefense research scientists have determined that XSS is gay.
From the WebSurveyor Privacy Policy,
http://www.websurveyor.com/websurveyor-privacypolicy.asp "Information obtained from visitors and customers will only be used for internal purposes. At no time will we sell, rent, or otherwise distribute your personal information or survey data to a third party." III. ANALYSIS Exploitation involves inserting garbage into a legitimate survey URL. For example, the following URL is a survey intended for iDefense contributors, for which respondents are rewarded with a 20$ Amazon gift card (hurry up and get yours today). https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm By mistyping the URI target, https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm ..an attacker can learn that this survey is owned by Jason Greenwood jgreenwood () idefense com. By decrementing the URI path, -here- https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm ..an attacker can learn that the prior survey is owned by Mattias Johansson, bork bork bork. IV. DETECTION This exploit has been tested with a web browser. V. WORKAROUND Don't take the survey. VI. VENDOR RESPONSE No response from WebSurveyor. Here at iDefense we sell all your information to foriegn governments anyway, so no real issue there. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 03/20/2006 iDefense survey goes live 03/22/2006 Initial public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Disclaimer: The information in the advisory has been deemed as accurate by our crack pot team of monkeys based on currently available FUD. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability Richard Larceny (Mar 22)
- Re: iDefense Security Advisory 03.22.06: WebSurveyor / iDefense Survey Predictable Sequence Number and Account Enumeration Information Disclosure and Possible Cross-Site Scripting Vulnerability ad () heapoverflow com (Mar 22)