lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030319154650.18866.qmail@hackermail.com>
Date: Wed, 19 Mar 2003 23:46:50 +0800
From: "dong-h0un U" <xploit@...kermail.com>
To: bugtraq@...urityfocus.com
Subject: [INetCop Security Advisory] ++Danger++ Outblaze Web based e-mail
    that is exposed in very dangerous state !!!




	==========================================
	INetCop Security Advisory #2003-0x82-014.c
	==========================================


* Title: ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!!


0x01. Description


Outblaze Web based e-mail is used solution worldwide.
Our INetCop Security in Outblaze Web based e-mail solution
user fatal vulnerability that can get other user's password find.


0x02. Vulnerable Sites


Vendor site: ? http://www.outblaze.com (Desire to visit.)


0x03. Exploit


Exploit can succeed manufacturing user's cookie.

1. First, read user's cookie.
2. Change mail id, domain, etc... cookie informations.
3. Send changed informations to mail server.

If apply this method, can hack page that change user's information.
Also, can get relevant user password hint's answer.

Outblaze solution informs password when user lost password conveniently. But, this is weakness.
This method is possibility that attack other user account that use password that cracker is like.


0x04. Patch


--

We notified this truth to Outblaze Web based e-mail solution before.
Soon is going to become patch.

--

Thank you.

P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ