lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 19 Jun 2008 10:43:08 -0300
From: "H2G-Labs Information Security" <h2glabs.infosec@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Brazilian Bank (Caixa Economica Federal) vuln

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi folks,
some brazilian banks has implementing a system based in computer
identification (like a PC register).

The system have some vulns and can be easily exploited.

I am trying to contact the Caixa Economica Federal
(http://www.caixa.gov.br) without success.

If the attacker have the USERNAME and the PASSWORD of the user
account, the attacker can log in on the bank account without identify
the computer.

To this, after enter the USERNAME and PASSWORD of account, pute the
code in browser (in agree terms page):
javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0);

And you will be logged in, without need register/identify you machine.

I hope the CAIXA team solve this problem hurry.

Sorry to my bad english, I am brazilian.

Regards...

- --
H2G-Labs Information Security
Igor Marcel - Information Security Consultant
H2GLabs.InfoSec "at" Gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG (PRIVATE)
Comment: H2G-Labs Information Security

iQIVAwUBSFpijMJBTfehHgWwAQp0ZBAAjpHW3keLOAuPvF91Jb8JSktRWgRy+q5p
PnhuiDXMaflWSUSVWQic24BStRYGv3RXCK8OKQdVMhVwcfG8LIFBWndYopwKUDx3
esGjTMZBuwoGnT3kIOjpFsygucGY89rNePfNduoJDY8NGeQCWe04TbzkeR1xUliT
LHqd3rpsgvd6p7jQu9/Ai1+1BDAi9p34toAxGm5RzfXNzr69DT6Jkuq8mSfGnPiZ
+roQEXI/6JQNoZhhWKYCGlwzXVFyQUCZVQ7IgcqjL+0RtsmhkGpw2VlG4enIY4UZ
eqo1eqZdsFmooHnMgDnorR8OQQrq+/20JbFy3pVBoOfh/9HPntFYZnBJVTRqGGKL
Tt9LzlQz5eMpLE2c74nz0b5FeSOLFoKyT/eyzX0R5yfLiVH7BKaa4egejjZcjXwh
Vtv6L0BL67iAmL7iTQiJ9EjOY2PFKmSsdwpEOv8iCbzk6rK0p0JKKBjrRN1OT4e2
02yVvzglDoLJymPwHtuQDudwPnJ1lTJE3+5gK0pUWfWxhqe/Rq7u6J4f1Cs7N05r
aSaSQFlklarsi7xs3IQPlICejMq0dEcGlmnsXbD9XGurSt9KBeRO55wkAaA5p7T7
ncyEsfEidFEl5fQstVuuvG9Gf+94Q64Skluq8+e6awJXc1nf1xT0O4hJErQhzg4u
HVP+cm14G8A=
=wJAX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ