lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 25 Aug 2005 20:14:43 +0200
From: "Fischer, Andreas" <Andreas.Fischer@...ystems.com>
To: bugtraq@...urityfocus.com
Subject: ssl-login-checkbox faked in Lycos webmail-frontend


Lycos Webmail offers a checkbox named "SSL LOGIN" which let you assume a secure transfer of your credentials - it's only pretended! Repeatedly sniffs shows account and password in cleartext - no https-packet came across...
The interesting part of the relating http-packet:

...
login=dasbinich&hiddenlogin=Nutzername&hiddenpassword=******&password=geheim000&ssl=on
HTTP/1.0 302 Found
Date: Thu, 25 Aug 2005 17:51:48 GMT
Content-Length: 63
Content-Type: text/html
Expires: Fri, 26 Aug 2005 17:51:48 GMT
Cache-Control: max-age=86400, private
Proxy-Connection: keep-alive Server: Apache/1.3.33 (Unix) Resin/2.1.12 mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c

...and so on. Funny, isn't it? Or poor!

Lycos informed in july 27.

greetings - fish

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ