lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Jun 2008 10:11:27 -0300 From: "H2G-Labs Information Security" <h2glabs.infosec@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Brazilian Bank (Caixa Economica Federal) vuln -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > Hi folks, > some brazilian banks has implementing a system based in computer > identification (like a PC register). > > The system have some vulns and can be easily exploited. > > I am trying to contact the Caixa Economica Federal > (http://www.caixa.gov.br) without success. > > If the attacker have the USERNAME and the PASSWORD of the user > account, the attacker can log in on the bank account without identify > the computer. > > To this, after enter the USERNAME and PASSWORD of account, pute the > code in browser (in agree terms page): > javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0); > > And you will be logged in, without need register/identify you machine. > > I hope the CAIXA team solve this problem hurry. > > Sorry to my bad english, I am brazilian. > > Regards... This vulnerability has patched! Regards... - -- H2G-Labs Information Security Igor Marcel - Information Security Consultant H2GLabs.InfoSec "at" Gmail.com -----BEGIN PGP SIGNATURE----- Version: GnuPG (PRIVATE) Comment: H2G-Labs Information Security iQIVAwUBSFustsJBTfehHgWwAQpEhA/9HPOOC/fiUY4jmDcBWeSfMK6OEyRLkQtM pwpnKksGkptrs8u8PvtfvEhcLEAeegNlVQdGsaZ9I/KgSyRR/b65KhWYXu5jITPW 3DWli+EhEV3O1N0BVDcmID8T8FO2Xi7DhKU5ii4gBqU0idyQTqQY+Jt+NwhcC0p2 /V831nhalXP7R8ApNradIuLCiWo/6rs6dOUo1wONfk4b03cEZhg5XzUyMM+xwiG2 UAHfG1L1aGNJhLZLIh03dGDjJ/83L+cax7jcRTU74W+yxj0oE+972KzdNXJE6RWi 4fZi88BlqZSPb4f1fVfTPVEPOdZ5VcT7LJS++LfjCtnoa+NjsgPOzxmq5QDsuCbh bJAAlcR8ESZxfFAiQisXJTlKx4xEkGvI9r5jyEE60Lg9mc9SubCr/c71AOSDJ1H0 1b7ZzWGqE5xkYe8Z4By7Ktvl+4aAcR1fMaDMrsJnrqq5hkDNMIG5pCGu9bGD2mRd V9MljIDnkrhxJMha76I4/86E/FYBjUppEdLHLMRpW+2pQEyEURKAI+vUiCrwrl5t OeH4x3JBJwUUCL2Z+dXVJaPL0oK4Mys39PRrSiaNWuohqopkmkxrelfeZQVFEe9P ZawC/fwk2x4vL2zJ/Uaq0Aza6OxvSYtcnX2TIN3n0qUmhcaAp3M6J896oFYBoEhS pRY51whrUxU= =lKdg -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists