From whats@wekk.net Wed Apr 16 17:11:04 2008 Subject: Re: Security breach hub client From: Albert =?ISO-8859-1?Q?Sellar=E8s?= To: Hugo =?ISO-8859-1?Q?D=E9nomm=E9e?= In-Reply-To: <480604A5.7010608@iweb.com> References: <155a01c89f9d$aa3f0dc0$7400a8c0@iwebnewtech> <480604A5.7010608@iweb.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-98MGPYUEaO2YceYljanB" Message-Id: <1208358659.4485.15.camel@x61s.wekk.net> Mime-Version: 1.0 X-Mailer: Evolution 2.12.1 Date: Wed, 16 Apr 2008 17:11:04 +0200 X-Evolution-Format: text/plain X-Evolution-Account: 1196289184.22463.20@x61s X-Evolution-Transport: smtp://whats;auth=PLAIN@mail.wekk.net:2225/;use_ssl=when-possible X-Evolution-Fcc: imap://whats@mail.wekk.net/INBOX/Sent X-Evolution-Source: imap://whats@mail.wekk.net/ --=-98MGPYUEaO2YceYljanB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Hugo, =EF=BB=BFI wasn't be completely precise with this affirmation. The informat= ion that I can see, was about other products, but without know which products I was seeing. With this link and waiting a bit, I see lots of network Graphs: https://hub.iweb.com/en/index.php?page=3DmesGraph&clientProduitId=3D =EF=BB=BFI didn't search more, but I thought that it was very provable that there were other issues that led me to see more things. =EF=BB=BFGreetings. El dc 16 de 04 del 2008 a les 09:52 -0400, en/na Hugo D=C3=A9nomm=C3=A9e va escriure: > Hi mr Sellar=C3=A8s, >=20 > First, thank you for reporting this information. >=20 > We just fixed the contact management breach in our Customer Hub. I would=20 > like to have more details about : >=20 > "This problem lets me see a lot of information about other products,=20 > network traffic, etc, and lets me modify it" >=20 > Did you managed to access information about other products or details ?=20 > Since our tests does not reveal any security breach with other modules=20 > in the Hub. >=20 > Thank You. >=20 > Hugo D=C3=A9nomm=C3=A9e > VP of Development and Automation > http://iweb.com >=20 >=20 > [iWeb] wrote: > > Hi, > > > > I have found an important security breach in the customer hub. The basi= c > > problem is that the sections of the customer hub, doesn't check that I > > have permision to see all client's information. For example if I log in > > to the customer hub with my account, I'm able to see all iweb contacts: > > > > https://hub.iweb.com/en/index.php?page=3DmesContact&contactId=3D2012 > > > > Then if I change the last url param (the id), I can see every contact i= n > > database. > > > > This problem lets me see a lot of information about other products, > > network traffic, etc, and lets me modify it. For example, delete a > > random contact: > > > > https://hub.iweb.com/en/index.php?page=3DmesContact&do=3Ddelete&contact= Id=3D140 > > > > I want to publish this security breach at Bugtraq Mailing List, but I > > want to do that when iweb8 has solved the problem. > > > > Please, tell me something. > > > > --=20 > > Albert Sellar=C3=A8s GPG id: 0x13053FFE > > http://www.wekk.net whats_up@jabber.org > > Membre de Catux.org http://catux.org > > Linux User: 324456 Catalunya > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > > Sebastien Page, Conseiller technique [iWeb] > > Support / Hub Client : http://Hub.iWeb.ca > > FAQ: http://faq.iweb.ca/fr > > http://www.iWeb.ca > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D --=20 Albert Sellar=C3=A8s GPG id: 0x13053FFE http://www.wekk.net whats_up@jabber.org=20 Membre de Catux.org http://catux.org =20 Linux User: 324456 Catalunya =20 --=-98MGPYUEaO2YceYljanB Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBIBhb7K3eYPRMFP/4RAqoUAKCQx7ZsLLLm3WfCR8hZfe2q1lQqQgCgvaO8 Xn/3c6oGXtTfmBZARKKVs8c= =yWGr -----END PGP SIGNATURE----- --=-98MGPYUEaO2YceYljanB--