Abidia & OAnywhere (All versions)

2006.09.18
Credit: Seth Fogie
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Airscanner Mobile Security Advisory #06070101: Abidia & OAnywhere (All versions) Product: Abidia & OAnywhere Platform: Tested on Windows Mobile Pocket PC 2005 Requirements: Mobile device running Windows Mobile Pocket PC with Abidia & OAnywhere Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com Mobile Antivirus Researchers Association http://www.mobileav.org 02/03/2006 Risk Level: Medium Summary: Abidia Wireless enhances the eBay and international eBay sites with effortless, anytime, anywhere, access via wireless handheld and mobile phone devices featuring customizable real-time synchronization with an eBay auction account, wireless searching, cached browsing, wireless bidding, and the ability to effortlessly manage auction listings on-the-go, anywhere you are, everywhere you need. http://www.abidia.com/ Lack of user/pass protection for updates. Details: Update requests include authentication via a simple HTTP POST. The user/pass information for eBay is sent as plaintext. Use of this service exposes the account information and also provides a proxy for brute force password cracking. POST /srvc/api.php?user=sethfogie&pass=mypass&serial=&imei=xxxx&site=US&name= sell HTTP/1.1 Host: api.abidia.com User-Agent: Abidia-Wireless/3.0.2 (PocketPC; 480x640; WindowsMobile/5.1.70) Accept: text/html Content-Language: en-US Connection: Close Content-Length: 84 Content-type: application/x-www-form-urlencoded user=sethfogie&pass=mypass&serial=&imei=xxxx&site=US Workaround: None Vendor Response: Awaiting Response Copyright (c) 2006 Airscanner Corp. Online advisory http://www.airscanner.com/security/06070101_abidia_oanywhere.htm Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top