Date: Wed, 9 Jun 1999 12:24:47 +1200 From: "Derricutt, Mark" To: BUGTRAQ@netspace.org Subject: Security hole found in CDNow! (www.cdnow.com) Last week I stumbled accross the following security hole in CDNow!, the online cd-store. I emailed CDNow! regarding this immediately but as yet have not have any confirmation of receipt or response, so I decided to post the information here. This is a copy of the email that I sent to CDNow. Security Hole Found I was just looking at my gift list, and pasted the URL to a mailing list. That is, the URL in my location bar, after doing so I thought, wait, thats not the URL I should have posted, so then sent the proper URL thinking that CDNOW is password protected and noone would be able to get to my account, but I decided to check by telnetting to a remote machine and going to that URL. The result was, I got a rejected cookie, and the page continued to load my gift list (in edit mode), I then followed a link to my account history, and details, and initiated steps to order a cd. I'm assuming the SID paramter in the URL was looking up the open transaction/connection that I made from my local machine and was using that. My assumption is that this URL would only be valid for a certain amount of time, so the security flaw will eventually in an hour or so be closed off (I hope), however, the fact is that this hole does exist. -- Mark Derricutt, PB Power NZ Ltd (http://www.pbpower.net) Now Playing... Lightmare - The Fool