lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Jun 2008 10:11:27 -0300
From: "H2G-Labs Information Security" <h2glabs.infosec@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Brazilian Bank (Caixa Economica Federal) vuln

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> Hi folks,
> some brazilian banks has implementing a system based in computer
> identification (like a PC register).
>
> The system have some vulns and can be easily exploited.
>
> I am trying to contact the Caixa Economica Federal
> (http://www.caixa.gov.br) without success.
>
> If the attacker have the USERNAME and the PASSWORD of the user
> account, the attacker can log in on the bank account without identify
> the computer.
>
> To this, after enter the USERNAME and PASSWORD of account, pute the
> code in browser (in agree terms page):
> javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0);
>
> And you will be logged in, without need register/identify you machine.
>
> I hope the CAIXA team solve this problem hurry.
>
> Sorry to my bad english, I am brazilian.
>
> Regards...

This vulnerability has patched!

Regards...

- --
H2G-Labs Information Security
Igor Marcel - Information Security Consultant
H2GLabs.InfoSec "at" Gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG (PRIVATE)
Comment: H2G-Labs Information Security

iQIVAwUBSFustsJBTfehHgWwAQpEhA/9HPOOC/fiUY4jmDcBWeSfMK6OEyRLkQtM
pwpnKksGkptrs8u8PvtfvEhcLEAeegNlVQdGsaZ9I/KgSyRR/b65KhWYXu5jITPW
3DWli+EhEV3O1N0BVDcmID8T8FO2Xi7DhKU5ii4gBqU0idyQTqQY+Jt+NwhcC0p2
/V831nhalXP7R8ApNradIuLCiWo/6rs6dOUo1wONfk4b03cEZhg5XzUyMM+xwiG2
UAHfG1L1aGNJhLZLIh03dGDjJ/83L+cax7jcRTU74W+yxj0oE+972KzdNXJE6RWi
4fZi88BlqZSPb4f1fVfTPVEPOdZ5VcT7LJS++LfjCtnoa+NjsgPOzxmq5QDsuCbh
bJAAlcR8ESZxfFAiQisXJTlKx4xEkGvI9r5jyEE60Lg9mc9SubCr/c71AOSDJ1H0
1b7ZzWGqE5xkYe8Z4By7Ktvl+4aAcR1fMaDMrsJnrqq5hkDNMIG5pCGu9bGD2mRd
V9MljIDnkrhxJMha76I4/86E/FYBjUppEdLHLMRpW+2pQEyEURKAI+vUiCrwrl5t
OeH4x3JBJwUUCL2Z+dXVJaPL0oK4Mys39PRrSiaNWuohqopkmkxrelfeZQVFEe9P
ZawC/fwk2x4vL2zJ/Uaq0Aza6OxvSYtcnX2TIN3n0qUmhcaAp3M6J896oFYBoEhS
pRY51whrUxU=
=lKdg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists