Operation TIPS
From: George Imburgia (gti@armorfirewall.com)Date: 07/17/02
- Previous message: TLR@portcullis-security.com: "RE: Query"
- Next in thread: Benjamin Krueger: "Re: Operation TIPS"
- Reply: Benjamin Krueger: "Re: Operation TIPS"
- Reply: George Imburgia: "Re: Operation TIPS - the FEMA response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Jul 2002 10:50:48 -0400 (EDT) From: George Imburgia <gti@armorfirewall.com> To: vuln-dev@securityfocus.com
Recently, the federal government started a program to recruit utility
workers, postal employees, truck drivers and such into an informant
program;
http://www.citizencorps.gov/tips.html
When you choose to join, it takes you to;
https://www.citizencorps.gov/citizen/jsp/volunteerform.jsp?programName=5
After looking at the source code of this url, it became apparent that
sanity checking of user input is done on the client. Testing confirmed
that this is exploitable.
In other words, it's easy to retrieve a list of their volunteer
informants.
Apparently they plan to address issues like this the easy way, by locking
up people that exploit it for life. This is a FEMA site, which would
qualify for a life sentence under the "Cyber Security Enhancement Act of
2002".
George Imburgia
Senior Network Security Engineer
Capitol Networking
gti@armorfirewall.com
- Previous message: TLR@portcullis-security.com: "RE: Query"
- Next in thread: Benjamin Krueger: "Re: Operation TIPS"
- Reply: Benjamin Krueger: "Re: Operation TIPS"
- Reply: George Imburgia: "Re: Operation TIPS - the FEMA response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
