FW: verizon wireless website gaping privacy holes

[Michael Wojcik <Michael.Wojcik () merant com>]

[Originally sent to Bugtraq; Elias felt it was better suited to Vuln-Dev.]

> From: Jeff Carnahan [mailto:tails () yahoo com]
> Sent: Monday, September 03, 2001 1:36 AM

[Discussing easily-spoofed session IDs in the Verizon user-account web
interface, Jeff noted some results from spoofed requests, including the
following.]

> One session ID produced the message:
>
> DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN
> PROCESS:                        ACOPT07H GETUSGA   
> INTERNET08448771                                      
>       2001/245  23:20:53

Looks like Verizon is using an IMS (an IBM mainframe DBMS and 
execution environment, with a queuing architecture, often 
used for transactional applications like this) backend.  
That's the usual source of DFS error messages in my 
experience.  "ACOPTO7H" is the transaction name (assigned by 
the IMS DBA).  "GETUSGA" is a parameter, probably a control 
code for "get user [something]".  "INTERNET" is presumably a 
flag telling the system that this was a web request, and 
"08448771" may have been the session ID.  "2001/245" is the 
date in year/day-of-year form, of course.  It's been a while 
since I looked at DFS message formats, but I suspect 
"S000,U4010" means user rather than system abend - the 
program processing the transaction abended with code 4010.

IBM IMS red books are probably available on the IBM web, if 
anyone's interested in digging further.

This information probably isn't particularly useful (I don't 
think there are any IMS script-kiddies out there), but it 
should be embarassing for the developers that it gets exposed at all.

Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University