-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 so that was a fake mail the one subject:
iDefense VCP Survey - Get a $20 Amazon.com Coupon ? that was suspicious to me and the fact there is nothing to check if it was from idefense , didnt replied to it, but do you confirm that was a scam ? Richard Larceny wrote: > WebSurveyor / iDefense Survey Predictable Sequence Number and > Account Enumeration Information Disclosure and Possible Cross-Site > Scripting Vulnerability > > iDefense Security Advisory 03.22.06 > http://www.idefense.com/application/poi/display?type=vulnerabilities > March 22, 2006 > > I. BACKGROUND > > WebSurveyor WebSurveyor 5.7 is an online survey/spam engine > designed to spam clients and partners of small to mid-sized > businesses. WebSurveryor collects, stores, and manages the > confidential data about products and business processes for > hundreds of such companies. > > More information on this software package can be found on the > vendor's site: > > http://www.websurveyor.com/pricing.asp > > iDefense is a small to mid-sized business looking to spam clients > and partners with surveys. More information about the iDefense > product can be found on the vendor's site: > > http://www.verisign.com > > II. DESCRIPTION > > WebSurveyor is subject to an information disclosure attack. The > software generates unique, but predictable, identifiers for each > survey purchased by customers. Furthermore, the default error > condition provides the name and e-mail address of the purchaser of > the survey. Due to these design flaws, it is trivial for a remote, > unauthenticated cockgobblers to enumerate the e-mail addresses of > all WebSurveyor customers. > > The software is also likely subject to standard cross-site > scripting attacks, but these were not explored in depth, as > recently iDefense research scientists have determined that XSS is > gay. > >> From the WebSurveyor Privacy Policy, > http://www.websurveyor.com/websurveyor-privacypolicy.asp > > "Information obtained from visitors and customers will only be used > for internal purposes. At no time will we sell, rent, or otherwise > distribute your personal information or survey data to a third > party." > > III. ANALYSIS > > Exploitation involves inserting garbage into a legitimate survey > URL. For example, the following URL is a survey intended for > iDefense contributors, for which respondents are rewarded with a > 20$ Amazon gift card (hurry up and get yours today). > > https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm > > By mistyping the URI target, > > https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm > > > ..an attacker can learn that this survey is owned by Jason > Greenwood [EMAIL PROTECTED] > > By decrementing the URI path, -here- > https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm > > ..an attacker can learn that the prior survey is owned by Mattias > Johansson, bork bork bork. > > IV. DETECTION > > This exploit has been tested with a web browser. > > V. WORKAROUND > > Don't take the survey. > > VI. VENDOR RESPONSE > > No response from WebSurveyor. Here at iDefense we sell all your > information to foriegn governments anyway, so no real issue there. > > VII. CVE INFORMATION > > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has > not been assigned yet. > > VIII. DISCLOSURE TIMELINE > > 03/20/2006 iDefense survey goes live 03/22/2006 Initial public > disclosure > > IX. CREDIT > > The discoverer of this vulnerability wishes to remain anonymous. > > Get paid for vulnerability research > http://www.idefense.com/poi/teams/vcp.jsp > > Free tools, research and upcoming events http://labs.idefense.com > > X. LEGAL NOTICES > > Disclaimer: The information in the advisory has been deemed as > accurate by our crack pot team of monkeys based on currently > available FUD. Use of the information constitutes acceptance for > use in an AS IS condition. There are no warranties with regard to > this information. Neither the author nor the publisher accepts any > liability for any direct, indirect, or consequential loss or damage > arising from use of, or reliance on, this information. > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEIbZdFJS99fNfR+YRApmlAKCw/Pi3M6XKaApRp24ozyih34zC5wCgsgz7 sxJfY8948jvNfzylGD9ncv4= =MMQc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
