13
VMWare User Information Leak
Click here to search the VMWare user database!
So last week some time Chris Hadnagy linked me to the following URL: http://info.vmware.com/content/opt-out which was pretty interesting last week. Basically it allowed someone to full in their email address to manage their VMWare subscriptions, i noticed a couple of things from the next pages:
- The fields auto populated with details like Name, Phone Number etc (i know, without auth and only an email address – worriedface)
- Another tab became available that allowed you to update your details – again, no auth, scary
So i whipped out the good old firebug and started looking through the ajax calls till i came across this little gem:
http://now.eloqua.com/visitor/v200/svrGP.aspx?pps=50&siteid=524&DLKey=<strong><sessionkey></strong>&DLLookup=%3CC_EmailAddress%3E<strong><email_address></strong>%3C/C_EmailAddress%3E&ms=59
and the resulting page looked something like:
function GetElqContentPersonalizationValue(strDataField) { var strTemp = ''; //alert('Data Field: ' + strDataField); if(strDataField == 'C_EmailAddress' || strDataField == 'EmailAddress') {strTemp = 'andrewmohawk\x40gmail.com';} if(strDataField == 'C_FirstName' || strDataField == 'FirstName') {strTemp = 'Andrew';} if(strDataField == 'C_LastName' || strDataField == 'LastName') {strTemp = 'MacPherson';}
Yeah, great info straight in that.. EEEK! So being the script kiddie (seriously, scripting languages FTW) i wrote a tiny PHP application to pull this info and display.
However the issue was that if you could update someones account, then you could simply change their email address, do a password reset and gain access to a commercial account giving people access to software that someone else paid loads for — this isnt cool so i didnt put the link out. However this week VMWare have removed the update page and the auto-populating fields — yet my scraper still works so i figured i’d put it out.
I’ve specifically left out the sessionkey to make it at least not a trivial cut and paste to get info yourself since it may still be possible to update from that code.
Just another leak i guess. But if anyone has any other links/ideas/stuff for me to play with, contact form’s on the left :)
Cheers,
Andrew
Recent Posts
What?
Tag cloud
airodump-ng
AlchemyAPI
alerting
Arduino
Badges
c++
client side attack
cross site scripting
denial of service
facebook
facebookGraphAPI
facial recognition
google
google earth
GPS
GraphAPI
information leak
IPCam
LCD
LED
Maltego
mIRC
MusicBee
NER
NLP
pastebin
php
Security
Serial
Servo
slowloris
Soil Moisture
Soil Sensor
tcp
VMWare
Water Pump
Webcam
xss
ZACon Arduino (2)
Coding (17)
General (6)
Security (10)
Social (9)
WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.