Zero Day Pizza Party - Yo Noid Advisory #00001

[Yo Noid <yo.its.the.noid () gmail com>]

Vulnerability: Open Pizza Databases and Email
Severity: Burnt Cheese
Vuln. Researcher: Yo! Noid Attack Squad

Did you expect Papa John's pizza to really care about their own
privacy policy?  I hope not.  How about a database of about 10,000
Papa Johns customers who complained over the past three months, angry
about their driver being an asshole or their cheese pizza not having
any sauce or cheese (wtf got delivered?  baked dough?)?

Sadly since Dominos killed off the Noid campaign, I don't have any
contacts in Dominos Marketing to sell this valuable information to, so
I thought I'd let the kids have fun with it:

http://webmail02.papajohns.com/Mail/dfs.nsf/

I guess their privacy policy only applies to satisfied customers...

OH! As my good friend Ron Popeil says, though, "But wait there's more!"

How about a list of names and usernames @papajohns.com?  Check out the
links under "Mail" here:

http://webmail02.papajohns.com/

Wait, is that "Papa" John Schnatter himself?  OH SNAP!

Most of the links are 403'd, but there are plenty of folks there with
their mail wide open.  Do a google search for
site:webmail02.papajohns.com to get a stunning 31,800 hits for pages
indexed on this should-be-internal site.  There's some really
interesting stuff about the price of cheese, store earnings reports,
and calenders for having meetings about pizza and stuff all day long
(don't you wish you had that job?).

You could probably poke around and find even more devious things to
do, but that wouldn't be very nice, even for the Noid.

Have fun kids!

Sincerely,
The Noid
http://www.nesplayer.com/yonoid/main.htm
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/