[10765] in bugtraq
Security hole found in CDNow! (www.cdnow.com)
daemon@ATHENA.MIT.EDU (Derricutt, Mark)
Wed Jun 9 14:56:30 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <93314B6256A5D211BE8B006097B95027178F65@NZAM>
Date: Wed, 9 Jun 1999 12:24:47 +1200
Reply-To: "Derricutt, Mark" <DerricuttM@PBWORLD.COM>
From: "Derricutt, Mark" <DerricuttM@PBWORLD.COM>
To: BUGTRAQ@NETSPACE.ORG
Last week I stumbled accross the following security hole in CDNow!, the
online cd-store. I emailed CDNow! regarding this immediately but as yet
have not have any confirmation of receipt or response, so I decided to post
the information here. This is a copy of the email that I sent to CDNow.
Security Hole Found
I was just looking at my gift list, and pasted the URL to a mailing list.
That is, the URL in my location bar, after doing so I thought, wait, thats
not the URL I should have posted, so then sent the proper URL thinking that
CDNOW is password protected and noone would be able to get to my account,
but I decided to check by telnetting to a remote machine and going to that
URL.
The result was, I got a rejected cookie, and the page continued to load my
gift list (in edit mode), I then followed a link to my account history, and
details, and initiated steps to order a cd. I'm assuming the SID paramter
in the URL was looking up the open transaction/connection that I made from
my local machine and was using that.
My assumption is that this URL would only be valid for a certain amount of
time, so the security flaw will eventually in an hour or so be closed off (I
hope), however, the fact is that this hole does exist.
--
Mark Derricutt, PB Power NZ Ltd (http://www.pbpower.net)
Now Playing... Lightmare - The Fool