Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Ed Carp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Tue, 17 Aug 2010, Vulnerabilities wrote:

> It's possible to get all customers FULL personal details, server admins
> etc...

Since ccbill.com handles a lot of transactions for porn sites, it could be 
potentionally embarassing for a lot of people...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFMavj2Qu/32VD+bAwRAmohAJ4iBGUy2sVDyy5VZ7CM58fUpKKEPACdFKdA
gOFF0v1NVs4Njbh36bxDcaQ=
=Kyum
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Jeffrey Walton]

On Tue, Aug 17, 2010 at 11:53 AM, Michael Holstein
 wrote:
>
>>  "It is very easy to reach our Information Security team at
>> secur...@ccbill.com ."
>>
>> Please show at least 1 page where this e-mail is written !
>
> http://www.faqs.org/rfcs/rfc2142.html
>
> (but I see your point .. Microsoft --for example-- refuses to read email
> sent to such addresses and requires you answer a convoluted webform to
> do most anything).
>From what I have read in the past, Microsoft's security team responds
to sec...@microsoft.com. Howard and Lipner state such in The Security
Development Lifecycle, p. 30; and the MSRC webpage states it responds
to over 100,000 emails to the address annually
(http://www.microsoft.com/security/msrc/).

But I do see your point - RFC 2142 was an Internet Draft in early
1997, and the Microsoft Security Response Center was set up in 1998.
It appears the email address was never reconciled.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Michael Holstein]

>  "It is very easy to reach our Information Security team at
> secur...@ccbill.com ."
>
> Please show at least 1 page where this e-mail is written !

http://www.faqs.org/rfcs/rfc2142.html

(but I see your point .. Microsoft --for example-- refuses to read email
sent to such addresses and requires you answer a convoluted webform to
do most anything).

Cheers,

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[PsychoBilly]

Ya a HaX0RR, so Email Blind Injection should had been no Problem for you ;)


>   "It is very easy to reach our Information Security team at 
> secur...@ccbill.com ."
>
> Please show at least 1 page where this e-mail is written !

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Vulnerabilities]

 "It is very easy to reach our Information Security team at 
secur...@ccbill.com ."


Please show at least 1 page where this e-mail is written !

Great that you are not using 23214dasdawk...@ccbill.com :) we could 
guess secur...@ccbill.com ...


So what about those addresses ?
supp...@ccbill.com and clientsupp...@ccbill.com

All e-mails from us were read - we have confirmation so 

regards,

AS TEAM

W dniu 2010-08-17 05:52, William Bell pisze:


At CCBill we take web application security very seriously. I can 
assure you that no one in this organization received any type of 
disclosure prior to the posting of the vulnerability to this list. It 
is very easy to reach our Information Security team at 
secur...@ccbill.com . We are working hard 
to identify the issue in question  and a post will be made here once 
it is resolved. I ask that the researcher from ariko-security.com 
please contact us at the email provided.


William Bell

Director of Information Security

CCBill.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
Ariko-Secuirty
Rynek G?ówny 12
32-600 Os'wie;cim
tel:. +48 33 4741511 mobile: +48 784086818

Ariko-Security Sp. z o.o. z siedziba; w Os'wie;cimiu , zarejestrowana przez 
Sa;d Rejonowy dla m. Krakowa-S'ródmies'cia, XII Wydzia? Gospodarczy Krajowego 
Rejestru Sa;dowego, KRS: 0358273, NIP: 549-239-90-67, REGON 121262172

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[William Bell]

At CCBill we take web application security very seriously. I can assure you 
that no one in this organization received any type of disclosure prior to the 
posting of the vulnerability to this list. It is very easy to reach our 
Information Security team at secur...@ccbill.com. 
We are working hard to identify the issue in question  and a post will be made 
here once it is resolved. I ask that the researcher from ariko-security.com 
please contact us at the email provided.

William Bell
Director of Information Security
CCBill.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Jeffrey Walton]

On Mon, Aug 16, 2010 at 10:06 PM, Michal Zalewski  wrote:
>> A COI knows no national boundaries.
>
> Oh sure - but Jeffrey seems to be particularly critical of US
> policies; I suspect this is unfair ;-)
Agreed! I don't have a neutral point of view when it comes to the
folks who are the back bone of the country (whatever country that is).
I seem to be getting more liberal as I get older.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Michal Zalewski]

> A COI knows no national boundaries.

Oh sure - but Jeffrey seems to be particularly critical of US
policies; I suspect this is unfair ;-)

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[mrx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/08/2010 01:17, Michal Zalewski wrote:
>> It seems that corporate America's purchasing of politicians (err, PAC
>> contributions) has been well worth the investment. Legislation is such
>> that victims and shareholders both suffer after a breach.
>>
>> * Heartland Databreach Lawsuit Dismissed
>>   http://news.cnet.com/8301-27080_3-10413194-245.html
>>
>> * Most claims dismissed in Hannaford data breach suit
>>   
>> http://www.computerworld.com/s/article/9133075/Most_claims_dismissed_in_Hannaford_data_breach_suit
>>
>> * Class Action Suit Over Aetna's Security Breach Is Dismissed
>>   http://www.law.com/jsp/article.jsp?id=1202446049469
>>
>> * Starbucks Data Breach Class Action Dismissed
>>   https://www.washingtontechnology.org/community/forums/thread/673.aspx
> 
> And what's the history of successful class action lawsuits against
> pwned credit card processors in Europe again?
> 
> /mz


A COI knows no national boundaries.



- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTGnYvbIvn8UFHWSmAQJ2uwf9FqkzLCHqtnZ4W7FQ/SaaNCIS481N5cST
cBulLS5aESOw4nOc/DhWMs/nTXrr/8TtBjy4yg6N8lrH0EhrKiVuVti1jJ1GDyNn
Ov37xoAR4kxWkKWbEU/rsuv6zGfGg9joy9Ygvm/4IKNKaS8nT5FViX6+MZmbT26e
wwGerpQ807afzoWt9er+ptXPBuKHMjH+5FV/4Sd51KGrNM7hN817CgItec6chAP9
crQgjzr9eoElH9ShP1/BZ5RQCMFrBDOw71UjkcEhtnps/1LlpAGHWJCMpGHTMhB0
1QGjlLz4AmYfLxBt+l3jdh/5QWd8iWMuLwywXPA21hluocASFkJgzA==
=20bF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Michal Zalewski]

> It seems that corporate America's purchasing of politicians (err, PAC
> contributions) has been well worth the investment. Legislation is such
> that victims and shareholders both suffer after a breach.
>
> * Heartland Databreach Lawsuit Dismissed
>   http://news.cnet.com/8301-27080_3-10413194-245.html
>
> * Most claims dismissed in Hannaford data breach suit
>   
> http://www.computerworld.com/s/article/9133075/Most_claims_dismissed_in_Hannaford_data_breach_suit
>
> * Class Action Suit Over Aetna's Security Breach Is Dismissed
>   http://www.law.com/jsp/article.jsp?id=1202446049469
>
> * Starbucks Data Breach Class Action Dismissed
>   https://www.washingtontechnology.org/community/forums/thread/673.aspx

And what's the history of successful class action lawsuits against
pwned credit card processors in Europe again?

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Jeffrey Walton]

> # 30/07/2010 - Vendor notified. / no response
> # 03/08/2010 - Vendor notified. / no response
> # 10/08/2010 - Vendor notified. / no response
Its unfortunate that the vendor did not respond. But in the US,
legislation is such that its more cost effective to suffer the breach
and then turn it over to PR rather than invest the time and money in
fixing/training/etc.

It seems that corporate America's purchasing of politicians (err, PAC
contributions) has been well worth the investment. Legislation is such
that victims and shareholders both suffer after a breach.

Jeffrey Walton

* Heartland Databreach Lawsuit Dismissed
   http://news.cnet.com/8301-27080_3-10413194-245.html

* Most claims dismissed in Hannaford data breach suit
   
http://www.computerworld.com/s/article/9133075/Most_claims_dismissed_in_Hannaford_data_breach_suit

* Class Action Suit Over Aetna's Security Breach Is Dismissed
   http://www.law.com/jsp/article.jsp?id=1202446049469

* Starbucks Data Breach Class Action Dismissed
   https://www.washingtontechnology.org/community/forums/thread/673.aspx


On Mon, Aug 16, 2010 at 7:19 PM, Vulnerabilities
 wrote:
>  We want to warn you about security vulnerabilities in CCBILL.COM
> Internet billing service.
>
> CCBill is an Internet billing service. Established in 1998, the company
> provides third-party billing, or turn-key solutions, for e-Merchants
> requiring payments by way of credit card, debit card, or e-check,
> European Debit/Direct Pay, and telephone payment.
>
> Since Ccbill is a privately held company little is known about it's
> finances however it is estimated that more than a billion dollars per
> year in credit card charges are processed through Ccbill in the us and
> abroad.
>
> Time Table:
> # 20/07/2010 We have found multiple Blind SQL injections.
>
> # 30/07/2010 - Vendor notified. / no response
> # 03/08/2010 - Vendor notified. / no response
> # 10/08/2010 - Vendor notified. / no response
>
> CCBILL.COM vulnerability:
>
> Multiple blind SQL injections
>
> It's possible to get all customers FULL personal details, server admins
> etc...
>
> Also is possible to read any file from ccbill.com and write to this
> server too.
>
> JPG sample tables proof:
> http://www.ariko-security.com/images/ccbill_proof1.jpg
>
> Credit:
> # Discoverd By: MG / Ariko-Security 2010
> # http://advisories.ariko-security.com/august/audyt_bezpieczenstwa_719.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities

[Vulnerabilities]

  We want to warn you about security vulnerabilities in CCBILL.COM 
Internet billing service.

CCBill is an Internet billing service. Established in 1998, the company 
provides third-party billing, or turn-key solutions, for e-Merchants 
requiring payments by way of credit card, debit card, or e-check, 
European Debit/Direct Pay, and telephone payment.

Since Ccbill is a privately held company little is known about it's 
finances however it is estimated that more than a billion dollars per 
year in credit card charges are processed through Ccbill in the us and 
abroad.

Time Table:
# 20/07/2010 We have found multiple Blind SQL injections.

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

CCBILL.COM vulnerability:

Multiple blind SQL injections

It's possible to get all customers FULL personal details, server admins 
etc...

Also is possible to read any file from ccbill.com and write to this 
server too.

JPG sample tables proof:
http://www.ariko-security.com/images/ccbill_proof1.jpg

Credit:
# Discoverd By: MG / Ariko-Security 2010
# http://advisories.ariko-security.com/august/audyt_bezpieczenstwa_719.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/