|
Full Disclosure
mailing list archives
iName/Mail.com security holes opens door to millions of e-mail accounts
From: full-disclosure () lists netsys com (Andrew G. Tereschenko)
Date: Fri, 30 Aug 2002 14:54:12 +0300
----- Original Message -----
From: "Colt Peacemaker" <colt45 () sdf lonestar org>
Sent: Friday, August 30, 2002 8:46 AM
Heh. Posting on full-disclosure seems to have set the cat among the
pigeons there ...
AFAICT they seem to have disabled a lot of other stuff over the last 12
hours or so (javascript for example).
Disagree. They was unable to completely fix HTML attachment bug.
Mail.com has all bugs discovered in other free email systems for last 2-3 years.
I still have example replacing down group of buttons and firing javascript
in onSubmit event
Mail.com has changed /scripts/common/profile.cgi script. (finaly !!).
But i still think that it's possible to get session cookies and use them for evil purpose.
I give ~15 hours to Mail.com to find solution and will
update my example email if they will fail.
As for a javascript - only minor changes was made.
Not a complete solution.
--
Andrew G. Tereschenko
TAG Software Research Lab
Odessa, Ukraine
 By Date 
By Thread
Current thread:
| 
Intro
