lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: secure.bugtraq at tag.odessa.ua (Andrew G. Tereschenko)
Subject: iName/Mail.com security holes opens door to millions of e-mail accounts

----- Original Message ----- 
From: "Colt Peacemaker" <colt45@....lonestar.org>
Sent: Friday, August 30, 2002 8:46 AM

> Heh.  Posting on full-disclosure seems to have set the cat among the 
> pigeons there ...
> 
> AFAICT they seem to have disabled a lot of other stuff over the last 12 
> hours or so (javascript for example).

Disagree. They was unable to completely fix HTML attachment bug.
Mail.com has all bugs discovered in other free email systems for last 2-3 years.
I still have example replacing down group of buttons and firing javascript
in onSubmit event
Mail.com has changed /scripts/common/profile.cgi script. (finaly !!).
But i still think that it's possible to get session cookies and use them for evil purpose.

I give ~15 hours to Mail.com to find solution and will 
update my example email if they will fail.

As for a javascript - only minor changes was made.
Not a complete solution.

--
Andrew G. Tereschenko
TAG Software Research Lab
Odessa, Ukraine

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ