Vulnerability Development mailing list archives
FW: verizon wireless website gaping privacy holes
From: Michael Wojcik <Michael.Wojcik () merant com>
Date: Tue, 4 Sep 2001 15:20:49 -0700
[Originally sent to Bugtraq; Elias felt it was better suited to Vuln-Dev.]
From: Jeff Carnahan [mailto:tails () yahoo com] Sent: Monday, September 03, 2001 1:36 AM
[Discussing easily-spoofed session IDs in the Verizon user-account web interface, Jeff noted some results from spoofed requests, including the following.]
One session ID produced the message: DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN PROCESS: ACOPT07H GETUSGA INTERNET08448771 2001/245 23:20:53
Looks like Verizon is using an IMS (an IBM mainframe DBMS and execution environment, with a queuing architecture, often used for transactional applications like this) backend. That's the usual source of DFS error messages in my experience. "ACOPTO7H" is the transaction name (assigned by the IMS DBA). "GETUSGA" is a parameter, probably a control code for "get user [something]". "INTERNET" is presumably a flag telling the system that this was a web request, and "08448771" may have been the session ID. "2001/245" is the date in year/day-of-year form, of course. It's been a while since I looked at DFS message formats, but I suspect "S000,U4010" means user rather than system abend - the program processing the transaction abended with code 4010. IBM IMS red books are probably available on the IBM web, if anyone's interested in digging further. This information probably isn't particularly useful (I don't think there are any IMS script-kiddies out there), but it should be embarassing for the developers that it gets exposed at all. Michael Wojcik Principal Software Systems Developer, Micro Focus Department of English, Miami University
Current thread:
- FW: verizon wireless website gaping privacy holes Michael Wojcik (Sep 04)