Bug: Abidia & OAnywhere (All versions) ( Ascii Version )

Search:
WLB2

Abidia & OAnywhere (All versions)

Published
Credit
Risk
2006.09.18
Seth Fogie
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-4744
Yes
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

Airscanner Mobile Security Advisory #06070101:

Abidia & OAnywhere (All versions)

Product:

Abidia & OAnywhere

Platform:

Tested on Windows Mobile Pocket PC 2005

Requirements:

Mobile device running Windows Mobile Pocket PC with Abidia & OAnywhere

Credits:

Seth Fogie

Airscanner Mobile Security

http://www.airscanner.com

Mobile Antivirus Researchers Association

http://www.mobileav.org

02/03/2006

Risk Level:

Medium

Summary:

Abidia Wireless enhances the eBay and international eBay sites with effortless, anytime, anywhere, access via wireless
handheld and mobile phone devices featuring customizable real-time synchronization with an eBay auction account,
wireless searching, cached browsing, wireless bidding, and the ability to effortlessly manage auction listings
on-the-go, anywhere you are, everywhere you need.

http://www.abidia.com/

Lack of user/pass protection for updates.

Details:

Update requests include authentication via a simple HTTP POST. The user/pass information for eBay is sent as plaintext.
Use of this service exposes the account information and also provides a proxy for brute force password cracking.

POST /srvc/api.php?user=sethfogie&pass=mypass&serial=&imei=xxxx&site=US&name=
sell HTTP/1.1

Host: api.abidia.com

User-Agent: Abidia-Wireless/3.0.2 (PocketPC; 480x640; WindowsMobile/5.1.70)

Accept: text/html

Content-Language: en-US

Connection: Close

Content-Length: 84

Content-type: application/x-www-form-urlencoded

user=sethfogie&pass=mypass&serial=&imei=xxxx&site=US

Workaround:

None

Vendor Response:

Awaiting Response

Copyright (c) 2006 Airscanner Corp.

Online advisory

http://www.airscanner.com/security/06070101_abidia_oanywhere.htm

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the
express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other
medium other than electronically, please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently
available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version