| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <003901c24f52$565d8fc0$2b00a8c0@ibis.local> From: secure.bugtraq at tag.odessa.ua (Andrew G. Tereschenko) Subject: iName/Mail.com security holes opens door to millions of e-mail accounts Thanks Colt for a note, It was fixed by replacing body to xbody tag. But the game still runs. It takes for me 6 minutes to invent another example of this bug. Not a 100% result, expected ~30%. It's an extremly easy to cut navigation items from down of page by using unclosed comments. Inserting own (linked to evil host) is a one minute task. Current sample will work in case if user will use group of buttons located at the down of email. I think a lot of other samples can be used. Mail.com failed to correctly show html attachements. Nobody is perfect, -- Andrew G. Tereschenko TAG Software Research Lab Odessa, Ukraine secure@....odessa.ua P.S> Just for a record: Ukraine is a fully independ country. ----- Original Message ----- From: "Colt Peacemaker" <colt45@....lonestar.org> Sent: Thursday, August 29, 2002 12:22 PM > Looks fixed to me. At least, it doesn't work for me when I try... <BODY> > and other HTML tags seem to be streng verboten there at any rate. [skiped]
Powered by blists - more mailing lists