AndrewNohawk
Coding Security

VMWare User Information Leak

Click here to search the VMWare user database!

So last week some time Chris Hadnagy linked me to the following URL: http://info.vmware.com/content/opt-out which was pretty interesting last week. Basically it allowed someone to full in their email address to manage their VMWare subscriptions, i noticed a couple of things from the next pages:

  • The fields auto populated with details like Name, Phone Number etc (i know, without auth and only an email address – worriedface)
  • Another tab became available that allowed you to update your details – again, no auth, scary

So i whipped out the good old firebug and started looking through the ajax calls till i came across this little gem:

http://now.eloqua.com/visitor/v200/svrGP.aspx?pps=50&amp;siteid=524&amp;DLKey=<strong>&lt;sessionkey&gt;</strong>&amp;DLLookup=%3CC_EmailAddress%3E<strong>&lt;email_address&gt;</strong>%3C/C_EmailAddress%3E&amp;ms=59

and the resulting page looked something like:

function GetElqContentPersonalizationValue(strDataField)
{
var strTemp = '';
//alert('Data Field: ' + strDataField);
if(strDataField == 'C_EmailAddress' || strDataField == 'EmailAddress')
{strTemp = 'andrewmohawk\x40gmail.com';}
if(strDataField == 'C_FirstName' || strDataField == 'FirstName')
{strTemp = 'Andrew';}
if(strDataField == 'C_LastName' || strDataField == 'LastName')
{strTemp = 'MacPherson';}

Yeah, great info straight in that.. EEEK! So being the script kiddie (seriously, scripting languages FTW) i wrote a tiny PHP application to pull this info and display.

However the issue was that if you could update someones account, then you could simply change their email address, do a password reset and gain access to a commercial account giving people access to software that someone else paid loads for — this isnt cool so i didnt put the link out. However this week VMWare have removed the update page and the auto-populating fields — yet my scraper still works so i figured i’d put it out.

I’ve specifically left out the sessionkey to make it at least not a trivial cut and paste to get info yourself since it may still be possible to update from that code.

Just another leak i guess. But if anyone has any other links/ideas/stuff for me to play with, contact form’s on the left :)

Cheers,
Andrew

Click here to search the VMWare user database!

Leave a Reply

Your email address will not be published. Required fields are marked *