Click here to search the VMWare user database!
So last week some time Chris Hadnagy linked me to the following URL: http://info.vmware.com/content/opt-out which was pretty interesting last week. Basically it allowed someone to full in their email address to manage their VMWare subscriptions, i noticed a couple of things from the next pages:
- The fields auto populated with details like Name, Phone Number etc (i know, without auth and only an email address – worriedface)
- Another tab became available that allowed you to update your details – again, no auth, scary
So i whipped out the good old firebug and started looking through the ajax calls till i came across this little gem:
http://now.eloqua.com/visitor/v200/svrGP.aspx?pps=50&siteid=524&DLKey=<strong><sessionkey></strong>&DLLookup=%3CC_EmailAddress%3E<strong><email_address></strong>%3C/C_EmailAddress%3E&ms=59 |
and the resulting page looked something like:
function GetElqContentPersonalizationValue(strDataField) { var strTemp = ''; //alert('Data Field: ' + strDataField); if(strDataField == 'C_EmailAddress' || strDataField == 'EmailAddress') {strTemp = 'andrewmohawk\x40gmail.com';} if(strDataField == 'C_FirstName' || strDataField == 'FirstName') {strTemp = 'Andrew';} if(strDataField == 'C_LastName' || strDataField == 'LastName') {strTemp = 'MacPherson';} |
Yeah, great info straight in that.. EEEK! So being the script kiddie (seriously, scripting languages FTW) i wrote a tiny PHP application to pull this info and display.
However the issue was that if you could update someones account, then you could simply change their email address, do a password reset and gain access to a commercial account giving people access to software that someone else paid loads for — this isnt cool so i didnt put the link out. However this week VMWare have removed the update page and the auto-populating fields — yet my scraper still works so i figured i’d put it out.
I’ve specifically left out the sessionkey to make it at least not a trivial cut and paste to get info yourself since it may still be possible to update from that code.
Just another leak i guess. But if anyone has any other links/ideas/stuff for me to play with, contact form’s on the left :)
Cheers,
Andrew