[8734] in bugtraq

home help back first fref pref prev next nref lref last post

ValueClick CGI Vulnerability

daemon@ATHENA.MIT.EDU (Philip Stoev)
Sat Dec 19 14:41:11 1998

Date: 	Sat, 19 Dec 1998 17:19:34 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Philip Stoev <philip@EINET.BG>
X-To:         click-l@egroups.com
To: BUGTRAQ@NETSPACE.ORG

The ValueClick Online Advertising agency web interface has a CGI
vulnerability that allows easy username/password capture without using
sniffing software.

When you go to ValueClick home page (www.valueclick.com) and log on, your
username and password are embedded in the URL and if you subsequently leave
their site and go somewhere else, this URL will end up in this site's HTTP
refferer log which I beleive is a serious fault because one can easily not
just garble with your account, but also redirect any cheques you are about
to receive from ValueClick to himself.

ValueClick was notified several months ago and they responded they will
substitute GET with POST in their CGI, but they have taken no such action.

Sincerely,

Philip Stoev

-- Free SAT & TOEFL preparation softwate @ http://studywiz.hypermart.net
This message was sent by Philip Stoev (philip@einet.bg)
tel: (359 2) 715949, 9549488 fax: (359 2) 544669

home help back first fref pref prev next nref lref last post