Date: Wed, 9 Jun 1999 12:24:47 +1200
From: "Derricutt, Mark" <DerricuttM@PBWORLD.COM>
To: BUGTRAQ@netspace.org
Subject: Security hole found in CDNow! (www.cdnow.com)

Last week I stumbled accross the following security hole in CDNow!, the
online cd-store.  I emailed CDNow! regarding this immediately but as yet
have not have any confirmation of receipt or response, so I decided to post
the information here.  This is a copy of the email that I sent to CDNow.

Security Hole Found

I was just looking at my gift list, and pasted the URL to a mailing list.
That is, the URL in my location bar, after doing so I thought, wait, thats
not the URL I should have posted, so then sent the proper URL thinking that
CDNOW is password protected and noone would be able to get to my account,
but I decided to check by telnetting to a remote machine and going to that
URL.

The result was, I got a rejected cookie, and the page continued to load my
gift list (in edit mode), I then followed a link to my account history, and
details, and initiated steps to order a cd.  I'm assuming the SID paramter
in the URL was looking up the open transaction/connection that I made from
my local machine and was using that.

My assumption is that this URL would only be valid for a certain amount of
time, so the security flaw will eventually in an hour or so be closed off (I
hope), however, the fact is that this hole does exist.


--
Mark Derricutt, PB Power NZ Ltd (http://www.pbpower.net)
Now Playing... Lightmare - The Fool