Contributors
Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security ) [Project Leader]

The Web Hacking Incidents Database
Last update:07 November 2007

Incident WHID 2006-2

WHID 2006-2: GSA takes down eOffer after finding security flaw
Date: 13 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.

References:



This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
© Copyright 2005, Web Application Security Consortium. All rights reserved.