[18579] in bugtraq
EAGLE USA Shipment Tracking software
daemon@ATHENA.MIT.EDU (dmelch@NTPLX.NET)
Fri Jan 12 13:55:14 2001
Errors-To: dmelch@ntplx.net
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-Id: <200101112100.QAA25326@thumper.ntplx.net>
Date: Thu, 11 Jan 2001 16:00:24 -0500
Reply-To: dmelch@ntplx.net
From: dmelch@NTPLX.NET
To: BUGTRAQ@SECURITYFOCUS.COM
I have discovered that the shipping software distributed by EAGLE USA sends
Username/Password information in clear text over the internet. This can be
replicated by installing the software and using a sniffer to view the HTML
string that gets passed to the server. Very clearly the Username password combo
appears in clear text in the string. This information could be very useful in a
corporate espionage situation in which gaining information about product
shipments by a competitor (how many of what product where shipped at what cost
to what customer when) could be of use.
David Melchionna
Senior Network Security Analyst
Bayer Pharmaceuticals.
