lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 18 Nov 2008 09:10:46 -0700
From: dateline@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Bad CNN. No cookie for you!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear CNN,

Even though you still have not responded directly to me, I want to
thank you for responding so quickly to the Full Disclosure exploit.
I see that you have removed the entire section titled "CNN.com
Extras". This removes the "My recently viewed pages" link that can
be used to validate the exploit.

Unfortunately, you still assign the js_memberservices.mrv and
js_user_topics cookies when visitors view news reports on your
site. The code that you use for updating these cookie values
(appending, deleting, etc.) is still vulnerable. Your programmers
are not properly quoting user-supplied parameters and not taint-
checking for special characters.

The problem is not that CNN.com has (still has) web pages that do
not check for hostile user-supplied data. The problem is that
CNN.com is accepting user-supplied data for web page and HTTP
header generation, without any checks for variable content. A well-
crafted cookie value can still p0wn cnn.com.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkki6QYACgkQ/Ikpqp7FIXdRBwP9EcxXaLBHElP0kkaulI813MFMhlZh
Eh8vTje9N3WQe0c28jK8g5YvQEpDygvkGz9388MDamFwZ7qA19gkCKTBgr5vGptvVU7T
oe6CcnSr0ucvPFH7l0b7g+7txLEl0lJN+pDS8vELRw80Xc7fJOvtkXvsHsP6jYOjF+NQ
3qjXwSQ=
=JYwk
-----END PGP SIGNATURE-----

--
Do something nice for your skin. Click now for great skin care products!
http://tagline.hushmail.com/fc/PnY6qxssyy9vjbhOVqQN0PUEgFO1KeOuKsuwigy0wGzj94ZdTneTu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ