lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003901c24f52$565d8fc0$2b00a8c0@ibis.local>
From: secure.bugtraq at tag.odessa.ua (Andrew G. Tereschenko)
Subject: iName/Mail.com security holes opens door to millions of e-mail accounts

Thanks Colt for a note,

It was fixed by replacing body to xbody tag.
But the game still runs.

It takes for me 6 minutes to invent another example of this bug.
Not a 100% result, expected ~30%.
It's an extremly easy to cut navigation items from down of page
by using unclosed comments.
Inserting own (linked to evil host) is a one minute task.

Current sample will work in case if user will use 
group of buttons located at the down of email.

I think a lot of other samples can be used.
Mail.com failed to correctly show html attachements.

Nobody is perfect,
--
Andrew G. Tereschenko
TAG Software Research Lab
Odessa, Ukraine
secure@....odessa.ua




P.S> Just for a record:
 Ukraine is a fully independ country.


----- Original Message ----- 
From: "Colt Peacemaker" <colt45@....lonestar.org>
Sent: Thursday, August 29, 2002 12:22 PM

> Looks fixed to me.  At least, it doesn't work for me when I try... <BODY>
> and other HTML tags seem to be streng verboten there at any rate.
[skiped]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ