From hugo@iweb.com Wed Apr 16 15:52:48 2008 Return-Path: X-Original-To: whats@wekk.net Delivered-To: whats@wekk.net Received: from localhost (localhost [127.0.0.1]) by wekk.net (Postfix) with ESMTP id B0A8E8A3 for ; Wed, 16 Apr 2008 15:52:48 +0200 (CEST) X-Virus-Scanned: by wekk.net X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from wekk.net ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with SMTP id T3r5mYZ9yCv0 for ; Wed, 16 Apr 2008 15:52:39 +0200 (CEST) Received: from palpatine.privatedns.com (palpatine.privatedns.com [209.172.32.36]) by wekk.net (Postfix) with ESMTP id 70C922A20 for ; Wed, 16 Apr 2008 15:52:39 +0200 (CEST) Received: from Macintosh-2.local (unknown [192.168.0.202]) by palpatine.privatedns.com (Postfix) with ESMTP id 63BFD68163 for ; Wed, 16 Apr 2008 09:52:37 -0400 (EDT) Message-ID: <480604A5.7010608@iweb.com> Date: Wed, 16 Apr 2008 09:52:37 -0400 From: =?ISO-8859-1?Q?Hugo_D=E9nomm=E9e?= User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: whats@wekk.net Subject: Re: Security breach hub client References: <155a01c89f9d$aa3f0dc0$7400a8c0@iwebnewtech> In-Reply-To: <155a01c89f9d$aa3f0dc0$7400a8c0@iwebnewtech> Content-Type: text/plain; charset=ISO-8859-1; format=flowed X-Evolution-Source: imap://whats@mail.wekk.net/ Content-Transfer-Encoding: 8bit Hi mr Sellarès, First, thank you for reporting this information. We just fixed the contact management breach in our Customer Hub. I would like to have more details about : "This problem lets me see a lot of information about other products, network traffic, etc, and lets me modify it" Did you managed to access information about other products or details ? Since our tests does not reveal any security breach with other modules in the Hub. Thank You. Hugo Dénommée VP of Development and Automation http://iweb.com [iWeb] wrote: > Hi, > > I have found an important security breach in the customer hub. The basic > problem is that the sections of the customer hub, doesn't check that I > have permision to see all client's information. For example if I log in > to the customer hub with my account, I'm able to see all iweb contacts: > > https://hub.iweb.com/en/index.php?page=mesContact&contactId=2012 > > Then if I change the last url param (the id), I can see every contact in > database. > > This problem lets me see a lot of information about other products, > network traffic, etc, and lets me modify it. For example, delete a > random contact: > > https://hub.iweb.com/en/index.php?page=mesContact&do=delete&contactId=140 > > I want to publish this security breach at Bugtraq Mailing List, but I > want to do that when iweb8 has solved the problem. > > Please, tell me something. > > -- > Albert Sellarès GPG id: 0x13053FFE > http://www.wekk.net whats_up@jabber.org > Membre de Catux.org http://catux.org > Linux User: 324456 Catalunya > ================================================= > Sebastien Page, Conseiller technique [iWeb] > Support / Hub Client : http://Hub.iWeb.ca > FAQ: http://faq.iweb.ca/fr > http://www.iWeb.ca > =================================================