|
Full Disclosure
mailing list archives
iName/Mail.com security holes opens door to millions of e-mail accounts
From: full-disclosure () lists netsys com (Andrew G. Tereschenko)
Date: Thu, 29 Aug 2002 14:50:52 +0300
Thanks Colt for a note,
It was fixed by replacing body to xbody tag.
But the game still runs.
It takes for me 6 minutes to invent another example of this bug.
Not a 100% result, expected ~30%.
It's an extremly easy to cut navigation items from down of page
by using unclosed comments.
Inserting own (linked to evil host) is a one minute task.
Current sample will work in case if user will use
group of buttons located at the down of email.
I think a lot of other samples can be used.
Mail.com failed to correctly show html attachements.
Nobody is perfect,
--
Andrew G. Tereschenko
TAG Software Research Lab
Odessa, Ukraine
secure () tag odessa ua
P.S> Just for a record:
Ukraine is a fully independ country.
----- Original Message -----
From: "Colt Peacemaker" <colt45 () sdf lonestar org>
Sent: Thursday, August 29, 2002 12:22 PM
Looks fixed to me. At least, it doesn't work for me when I try... <BODY>
and other HTML tags seem to be streng verboten there at any rate.
[skiped]
 By Date 
By Thread
Current thread:
|
Intro
