From contact@iweb.ca Tue Apr 15 17:56:53 2008 Return-Path: X-Original-To: whats@wekk.net Delivered-To: whats@wekk.net Received: from localhost (localhost [127.0.0.1]) by wekk.net (Postfix) with ESMTP id 0226011A5 for ; Tue, 15 Apr 2008 17:56:53 +0200 (CEST) X-Virus-Scanned: by wekk.net X-Spam-Score: -2.257 X-Spam-Level: X-Spam-Status: No, score=-2.257 tagged_above=-999 required=5 tests=[AWL=0.342, BAYES_00=-2.599] Received: from wekk.net ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with SMTP id lfPqiyen8gpR for ; Tue, 15 Apr 2008 17:56:33 +0200 (CEST) Received: from tatouine.privatedns.com (tatoine.privatedns.com [209.172.41.165]) by wekk.net (Postfix) with ESMTP id D4D1A868 for ; Tue, 15 Apr 2008 17:56:28 +0200 (CEST) Received: by tatouine.privatedns.com (Postfix, from userid 33) id 49D2D3A0473; Tue, 15 Apr 2008 11:56:21 -0400 (EDT) Subject: [RQ #1422510] (SC-IWEB-INFO) Important security breach in the customer hub From: "[iWeb] Informations" Reply-To: contact@iweb.ca In-Reply-To: <1208275010.4988.72.camel@x61s.wekk.net> References: <1208275010.4988.72.camel@x61s.wekk.net> Message-ID: Precedence: bulk X-RT-Loop-Prevention: RQ RT-Ticket: RQ #1422510 Managed-by: RT 3.6.1 (http://www.bestpractical.com/rt/) RT-Originator: whats@wekk.net To: whats@wekk.net MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Date: Tue, 15 Apr 2008 11:56:21 -0400 X-Evolution-Source: imap://whats@mail.wekk.net/ Content-Transfer-Encoding: 8bit [TICKET #1422510] [English] This is an automatic answer of iWeb Technologies web hosting services. Your request number is [#1422510], please use the request number if you need to refer to this problem. [Français] Ceci est une réponse automatique des services d'hébergement iWeb Technologies. Le numéro de requête [#1422510] vous a été assigné, merci d'utiliser ce numéro si vous avez besoin de faire référence à cette demande. [Español] Su petición se ha asignado el boleto de ayuda [#1422510]. Nuestro equipo contestara pronto. Utilize por favor este número de boleto si usted necesita contactarnos otra vez sobre la misma pregunta. Thank you, Merci, Gracias ! iWeb Technologies inc. 1-888-909-iWEB (4932) http://iWeb.Ca ------------------------------------------------------------------------- Hi, I have found an important security breach in the customer hub. The basic problem is that the sections of the customer hub, doesn't check that I have permision to see all client's information. For example if I log in to the customer hub with my account, I'm able to see all iweb contacts: https://hub.iweb.com/en/index.php?page=mesContact&contactId=2012 Then if I change the last url param (the id), I can see every contact in database. This problem lets me see a lot of information about other products, network traffic, etc, and lets me modify it. For example, delete a random contact: https://hub.iweb.com/en/index.php?page=mesContact&do=delete&contactId=140 I want to publish this security breach at Bugtraq Mailing List, but I want to do that when iweb8 has solved the problem. Please, tell me something. -- Albert Sellarès GPG id: 0x13053FFE http://www.wekk.net whats_up@jabber.org Membre de Catux.org http://catux.org Linux User: 324456 Catalunya