Security News Website Among 30 QuinStreet Compromised Sites

2013-03-13

Henry Garrison

http://seclists.org/fulldisclosure/2013/Mar/135

[eSecurityPlanet was among 30 sites identified on the full-disclosure mailing list as having a security vulnerability that allowed anyone to dump user data. Mr. Garrison posted a proof-of-concept Perl script for obtaining the data, which was not validated by attrition.org staff.]
# March 13, 2013
# FULL-DISCLOSURE Exclusive - Vielen Dank John!
#
# VULNERABILITY SUMMARY
# ---------------------
# A confirmed security vulnerability has been identified with 30 high traffic web
# sites owned by QuinStreet.   Vendor stores database IDs in cookies which are
# easily spoofed (USERID_COOKIE), allowing all user information to be accessed. 
# Seven million users are reportedly in the database:
# http://www.itbusinessedge.com/about-itbe
#
# Web sites
 include:
#
# Ziff Davis
# ----------
# http://www.eweek.com/
# http://www.baselinemag.com/
# http://www.cioinsight.com/
# http://www.channelinsider.com/
# http://www.eseminarslive.com/
#
# Developer.com Network
# ---------------------
# http://www.developer.com/
# http://www.devx.com/
# http://www.codeguru.com/
# http://www.htmlgoodies.com/
#
# IT Business Edge Network
# ------------------------
# http://www.itbusinessedge.com/
# http://www.datamation.com/
# http://www.smallbusinesscomputing.com/
# http://www.internetnews.com/
# http://www.serverwatch.com/
# http://www.infostor.com/
# http://www.enterprisestorageforum.com/
# http://www.enterprisenetworkingplanet.com/
# http://www.enterpriseappstoday.com/
# http://www.cioupdate.com/
# http://www.databasejournal.com/
# http://www.esecurityplanet.com/
# http://www.webopedia.com/
# http://www.linuxtoday.com/

main page ATTRITION feedback