| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000c01c2501b$f734b1c0$2b00a8c0@ibis.local> From: secure.bugtraq at tag.odessa.ua (Andrew G. Tereschenko) Subject: iName/Mail.com security holes opens door to millions of e-mail accounts ----- Original Message ----- From: "Colt Peacemaker" <colt45@....lonestar.org> Sent: Friday, August 30, 2002 8:46 AM > Heh. Posting on full-disclosure seems to have set the cat among the > pigeons there ... > > AFAICT they seem to have disabled a lot of other stuff over the last 12 > hours or so (javascript for example). Disagree. They was unable to completely fix HTML attachment bug. Mail.com has all bugs discovered in other free email systems for last 2-3 years. I still have example replacing down group of buttons and firing javascript in onSubmit event Mail.com has changed /scripts/common/profile.cgi script. (finaly !!). But i still think that it's possible to get session cookies and use them for evil purpose. I give ~15 hours to Mail.com to find solution and will update my example email if they will fail. As for a javascript - only minor changes was made. Not a complete solution. -- Andrew G. Tereschenko TAG Software Research Lab Odessa, Ukraine
Powered by blists - more mailing lists