KGB Vulnerability Advisory 20070612-2 Title: Fontbonne University Lack of Encryption of Non-Public Information Date: 12 June 2007 Author: Particle Bored Vulnerability Class: Information Disclosure Affected Systems: http://www.fontbonne.edu/ Overview: POSTs destined for the web site are sent over public networks unencrypted. The POSTs contain such data as: Name Social Security Number Date of Birth Address Phone Number Technical Details: HTTP POSTs to http://www.fontbonne.edu/academics/optionsprogramsadultevenin/ optionsfinancialaid/forms/cashandinvestmentform.htm are sent in clear text. Errors from http://www.fontbonne.edu/cgi-bin/fbs_fontbonne appear to also return the sensitive information. Impact: System Administrators and others with access to communications destined for the site can intercept most of the information necessary to steal the identity of an individual. Such interception of data could easily be done in a manner that is not detectable. Recommendations: Utilize SSL, TLS or other globally recognized methods to encrypt transmission of non-public information. Discovered: 14 May 2007 Vendor Notified: 12 June 2007 (webmaster@fontbonne.edu) General Release: 09 December 2007 after no response from vendor Public Disclosure: In order to best serve the interests of all parties affected this advisory will be made publicly available 30 days after the initial vendor notification. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. About KGB: KGB is an independent vulnerability research organization based in the United States. It provides the results of its research free of charge since that is all most development companies are willing to pay for security and quality assurance. Copyright 2007 KGB.TO. All rights reserved. Permission is hereby granted for the redistribution of this advisory electronically. It is not to be edited in any way without express consent of KGB.TO. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email particle.bored@kgb.to for permission.