The ValueClick Online Advertising agency web interface has a CGI vulnerability that allows easy username/password capture without using sniffing software. When you go to ValueClick home page (www.valueclick.com) and log on, your username and password are embedded in the URL and if you subsequently leave their site and go somewhere else, this URL will end up in this site's HTTP refferer log which I beleive is a serious fault because one can easily not just garble with your account, but also redirect any cheques you are about to receive from ValueClick to himself. ValueClick was notified several months ago and they responded they will substitute GET with POST in their CGI, but they have taken no such action. Sincerely, Philip Stoev -- Free SAT & TOEFL preparation softwate @ http://studywiz.hypermart.net This message was sent by Philip Stoev (philipat_private) tel: (359 2) 715949, 9549488 fax: (359 2) 544669
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:15 PDT