-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ;> FistFucker wrote: > Hello Arnaud, > > I think the best way to clarify your question is to directly mail > to iDefense. But I'm sure that they're today a LITTLE BIT angry on > you. LOL > > > -Manuel Santamarina Suarez aka 'FistFuXXer' > > > > [EMAIL PROTECTED] wrote: >>> so that was a fake mail the one subject: >>> >>> iDefense VCP Survey - Get a $20 Amazon.com Coupon >>> >>> ? >>> >>> that was suspicious to me and the fact there is nothing to >>> check > if it >>> was from idefense , didnt replied to it, but do you confirm >>> that > was a >>> scam ? >>> >>> Richard Larceny wrote: >>>>> WebSurveyor / iDefense Survey Predictable Sequence Number >>>>> and Account Enumeration Information Disclosure and Possible >>>>> Cross-Site Scripting Vulnerability >>>>> >>>>> iDefense Security Advisory 03.22.06 >>>>> > http://www.idefense.com/application/poi/display?type=vulnerabilities > >>>>> March 22, 2006 >>>>> >>>>> I. BACKGROUND >>>>> >>>>> WebSurveyor WebSurveyor 5.7 is an online survey/spam engine >>>>> designed to spam clients and partners of small to >>>>> mid-sized businesses. WebSurveryor collects, stores, and >>>>> manages the confidential data about products and business >>>>> processes for hundreds of such companies. >>>>> >>>>> More information on this software package can be found on >>>>> the vendor's site: >>>>> >>>>> http://www.websurveyor.com/pricing.asp >>>>> >>>>> iDefense is a small to mid-sized business looking to spam >>>>> clients and partners with surveys. More information about >>>>> the iDefense product can be found on the vendor's site: >>>>> >>>>> http://www.verisign.com >>>>> >>>>> II. DESCRIPTION >>>>> >>>>> WebSurveyor is subject to an information disclosure attack. >>>>> The software generates unique, but predictable, identifiers >>>>> for each survey purchased by customers. Furthermore, the >>>>> default error condition provides the name and e-mail >>>>> address of the purchaser of the survey. Due to these design >>>>> flaws, it is trivial for a remote, unauthenticated >>>>> cockgobblers to enumerate the e-mail addresses of all >>>>> WebSurveyor customers. >>>>> >>>>> The software is also likely subject to standard cross-site >>>>> scripting attacks, but these were not explored in depth, as >>>>> recently iDefense research scientists have determined that >>>>> XSS is gay. >>>>> >>>>>> From the WebSurveyor Privacy Policy, >>>>> http://www.websurveyor.com/websurveyor-privacypolicy.asp >>>>> >>>>> "Information obtained from visitors and customers will only >>>>> be used for internal purposes. At no time will we sell, >>>>> rent, or otherwise distribute your personal information or >>>>> survey data to a third party." >>>>> >>>>> III. ANALYSIS >>>>> >>>>> Exploitation involves inserting garbage into a legitimate >>>>> survey URL. For example, the following URL is a survey >>>>> intended for iDefense contributors, for which respondents >>>>> are rewarded with a 20$ Amazon gift card (hurry up and get >>>>> yours today). >>>>> >>>>> https://websurveyor.net/wsb.dll/46282/iDefense_VCP_12-20.htm >>>>> >>>>> >>>>> By mistyping the URI target, >>>>> >>>>> > https://websurveyor.net/wsb.dll/46282/iDefense_should_check_this.htm > >>>>> >>>>> >>>>> ..an attacker can learn that this survey is owned by Jason >>>>> Greenwood [EMAIL PROTECTED] >>>>> >>>>> By decrementing the URI path, -here- >>>>> https://websurveyor.net/wsb.dll/46281/and_who_might_you_be.htm >>>>> >>>>> >>>>> ..an attacker can learn that the prior survey is owned by >>>>> Mattias Johansson, bork bork bork. >>>>> >>>>> IV. DETECTION >>>>> >>>>> This exploit has been tested with a web browser. >>>>> >>>>> V. WORKAROUND >>>>> >>>>> Don't take the survey. >>>>> >>>>> VI. VENDOR RESPONSE >>>>> >>>>> No response from WebSurveyor. Here at iDefense we sell all >>>>> your information to foriegn governments anyway, so no real >>>>> issue there. >>>>> >>>>> VII. CVE INFORMATION >>>>> >>>>> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) >>>>> number has not been assigned yet. >>>>> >>>>> VIII. DISCLOSURE TIMELINE >>>>> >>>>> 03/20/2006 iDefense survey goes live 03/22/2006 Initial >>>>> public disclosure >>>>> >>>>> IX. CREDIT >>>>> >>>>> The discoverer of this vulnerability wishes to remain >>>>> anonymous. >>>>> >>>>> Get paid for vulnerability research >>>>> http://www.idefense.com/poi/teams/vcp.jsp >>>>> >>>>> Free tools, research and upcoming events >>>>> http://labs.idefense.com >>>>> >>>>> X. LEGAL NOTICES >>>>> >>>>> Disclaimer: The information in the advisory has been deemed >>>>> as accurate by our crack pot team of monkeys based on >>>>> currently available FUD. Use of the information constitutes >>>>> acceptance for use in an AS IS condition. There are no >>>>> warranties with regard to this information. Neither the >>>>> author nor the publisher accepts any liability for any >>>>> direct, indirect, or consequential loss or damage arising >>>>> from use of, or reliance on, this information. >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. Charter: >>>>> http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>>> >>>>> > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > > __________ NOD32 1.1455 (20060322) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEIbqLFJS99fNfR+YRAiQuAKDSpckJZqShxA+RqR+GBsn+/A38cACguw8+ wLs0ku/j9nde5BVQo3Tvq5g= =UKS/ -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
