Home page logo

bugtraq logo Bugtraq mailing list archives

ValueClick CGI Vulnerability
From: philip () EINET BG (Philip Stoev)
Date: Sat, 19 Dec 1998 17:19:34 +0200

The ValueClick Online Advertising agency web interface has a CGI
vulnerability that allows easy username/password capture without using
sniffing software.

When you go to ValueClick home page (www.valueclick.com) and log on, your
username and password are embedded in the URL and if you subsequently leave
their site and go somewhere else, this URL will end up in this site's HTTP
refferer log which I beleive is a serious fault because one can easily not
just garble with your account, but also redirect any cheques you are about
to receive from ValueClick to himself.

ValueClick was notified several months ago and they responded they will
substitute GET with POST in their CGI, but they have taken no such action.


Philip Stoev

-- Free SAT & TOEFL preparation softwate @ http://studywiz.hypermart.net
This message was sent by Philip Stoev (philip () einet bg)
tel: (359 2) 715949, 9549488 fax: (359 2) 544669

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]