[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] VMWare Manage Subscriptions - Info Disclosure

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] VMWare Manage Subscriptions - Info Disclosure
From: p8x <l@xxxxxxx>
Date: Tue, 05 Apr 2011 18:03:04 +0800

Hi all,

Not really sure if this is an intended feature but I decided to 
unsubscribe from the VMWare Newsletters that get sent out today. You get 
sent to the following address to unsubscribe:

http://info.vmware.com/content/opt-out?elq=[UNIQUE ID]

The ID provided in the URL looks like it is to just pre-fill the form, 
and the elq parameter can be left off completely. If you fill out the 
form with *any* email address that has a VMWare account there does not 
appear to be any validation to see if you are the actual owner. You are 
then able to click "Profile Management" at the top of the page and you 
can then see the details that the user filled in during registration.

This may be intended, but I find it unusual that "personal" details are 
disclosed without any verification...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] seriously?
Next by Date: Re: [Full-disclosure] seriously?
Previous by thread: Re: [Full-disclosure] seriously?
Next by thread: [Full-disclosure] WhatWeb v0.4.7 Released. Performance enhancements and bug fixes
Index(es):
- Date
- Thread