Security Issue

Search Again:

Re: Security Issue
From: Mike Bacher
Date: Saturday, January 11, 2003
Time: 11:58:41 am
At 11:12 AM 1/11/2003 -0800, you wrote:
>ISP List wrote:
>
> > I've found a security issue with the Customer Web Interface --
> > specifically, the Password Retrieval logic. It is pretty straightforward,
> > and is unlikely to be exploited, but it makes assumptions that should not
> > be made. Basically, if a customer does not have any E-Mail address or
> > Override E-mail address in their account, it sends the Password Retrieval
> > E-mail to "<login>@<main domain>" rather than returning an error. It is
> > possible that:
> >
> > 1. Customer A has login name of "joe" with no E-mail addresses or Override
> > E-mail address
> > 2. Customer B has login name of "joesmith" with E-mail address of
> > "joe@domain.com" which is also the Override E-mail address
> > 3. Customer A does a Password Retrieval and his password gets sent to
> > Customer B
> >
> > Can a preference be added that says "If Override E-mail does not exist, do
> > *not* send the Password Retrieval E-Mail"?
>
>You sure about that? In that scenario, unless Customer A was searching for
>"joesmith" with a matching zip code, nothing would get sent. If he searched
>for "joe" with the correct zip code, it would go to himself (as expected).
>
> - Shawn

Yes. Customer A knows his login name (joe) but not his password, and puts
"joe" in the field for password recovery with his correct zip code. Since
he (joe) has no Override E-mail address or E-mail addresses, OG is assuming
that "joe@domain.com" is him and it sends that password there, but in
reality "joe@domain.com" belongs to Customer B.

--Mike

---------------------------------------------------
To subscribe, unsubscribe or to search list archive
please visit http://www.optigold.com/lists/isp.html
---------------------------------------------------

Messages In This Thread:

Security issue by Eivind Ravndal on Apr 29, 2002 at 8:19:48 am
- Re: Security issue by Shawn Hogan on Apr 30, 2002 at 10:26:09 pm
Security Issue by Mike Bacher on Jan 11, 2003 at 10:24:13 am
- Re: Security Issue by Shawn Hogan on Jan 11, 2003 at 11:13:42 am
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 11:58:41 am
- Re: Security Issue by Shawn Hogan on Jan 11, 2003 at 12:22:56 pm
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 1:21:07 pm
- Re: Security Issue by Jeff Folk on Jan 11, 2003 at 4:47:30 pm
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 5:04:27 pm
- Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:06:19 pm
- Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:21:09 pm
- Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:31:59 pm
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:27:39 pm
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:31:18 pm
- Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:32:49 pm
- Re: Security Issue by Jeff Folk on Jan 12, 2003 at 7:19:23 am
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 10:07:22 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:37:39 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:38:48 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:40:21 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:43:01 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:45:48 am
- Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:47:52 am
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:04:49 pm
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:07:58 pm
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:10:49 pm
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:16:48 pm
- Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:21:23 pm
- Re: Security Issue by Matthew Bailey on Jan 12, 2003 at 4:07:28 pm
- Re: Security Issue by Bryan Kroger on Jan 13, 2003 at 9:23:23 am
- Re: Security Issue by Mike Bacher on Jan 13, 2003 at 11:39:54 am
- Re: Security Issue by customers1st@yeipost-netsolution.net on Jan 13, 2003 at 11:52:15 am
- Re: Security Issue by Bryan Kroger on Jan 13, 2003 at 12:00:47 pm
- Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:02:19 pm
- Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:07:51 pm
- Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:11:54 pm
- Re: Security Issue by Matthew Bailey on Jan 13, 2003 at 12:27:50 pm
- Re: Security Issue by Mike Bacher on Jan 13, 2003 at 12:46:53 pm
- Re: Security Issue by Mike Bacher on Jan 13, 2003 at 12:47:26 pm
- Re: Security Issue by Fernando Huerta =?iso-8859-1?Q?Zu=F1iga?= on Jan 13, 2003 at 1:52:09 pm

Return to Digital Point Solutions' Home Page

Sales:
888/4-DPOINT

Support:
858/452-3696