Full Disclosure: RE: Insecure http pages referencing httpsform-actions.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

RE: Insecure http pages referencing httpsform-actions.

From: "Aditya Deshmukh" <aditya.deshmukh () online gateway strangled net>
Date: Wed, 10 Aug 2005 08:55:29 +0530

Today I realized that many "secured" web sites reference their secure 
login page from an insecure page.


Now a days most of the secure WebPages have both the forms and the login 
Page ref'ed 

See hotmail & yahoo ---- and for insecure pages that you described man in 
The middle attacks are always possible 



begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )! () 4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H(()?3""`P4P@@)NH ,"`0("`P]$"# -! () DJADB&]PT!`00%`#!B,0LP
M"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D@
M3'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E<G-O;F%L($9R965M86EL($ES<W5I
M;F<@0T$P'A<-,#4P.# X,#0T.#0V6A<-,#8P.# X,#0T.#0V6C!>,1\P'08#
M500#$Q94:&%W=&4 () 1G)E96UA:6P () 365M8F5R,3LP.08)*H9(AO<-`0D!%BQA
M9&ET>6$N9&5S:&UU:VA ;VYL:6YE+F=A=&5W87DN<W1R86YG;&5D+FYE=#""
M`2(P#08)*H9(AO<-`0$!!0`#@@$/`#""`0H"@@$!`*V[W[(L0FU!P+1;>W$3
M#Y[VQE1?27[6O))6O0TQLW<>.T@"MP_U8N/"P@'?3-Q4J_GR0P_=0B-%7T%]
M/_*118FW<GJTQ2Y6+T6.JZ-"<V1#&@1"$E^;LBB1=GQ*5H)6W.? .[":C?!3
M,&\>>JE! () =C5GU[LWI=RGS,1J*ZPO1$$IU5'0C]8<::RUXQP#U>TTOXC,;U"
M0.[%) ]V#K2#6<V^(<$TRLCR(7&T7ZR\$U?4)$;$. Z58&1SU5-$4^5S8K*5
MP6 (2;QCS9)QQIY<^9FI5T<=H6^($95*"Z"1N*S6H+ () 0AO7W[RL9VM9^D]!1
M9,MC2J,`"9T3)^PF*1LSDJL"`P$``:-),$<P-P8#51T1!# P+H$L861I='EA
M+F1E<VAM=6MH0&]N;&EN92YG871E=V%Y+G-T<F%N9VQE9"YN970P# 8#51T3
M`0'_! (P`# -! () DJADB&]PT!`00%``.! () 0"BDKT.@ H76F=3A< 6U35ML_P[
MA^I;Y'@>AY.E&P[2_W9XX=QE<<@]*K%%\<A5(YA>;R6?<"W&ZX2A]ZU%K",%
MBXMM!V2R'^.5P!5 A+R&K^$(G9?,MQBX5#NX"_6)<BHH<))CUL(%+XMI&$<G
MK]YHF?3R3ET,*64XME+=L%H'.#""`RTP@@*6H ,"`0("`0`P#08)*H9(AO<-
M`0$$!0`P () =$Q"S )! () -5! 83`EI!,14P$P8#500($PQ797-T97)N($-A<&4Q
M$C 0! () -5! <3"4-A<&4 () 5&]W;C$:,!@&`U4$"A,15&AA=W1E($-O;G-U;'1I
M;F<Q*# F! () -5! L3'T-E<G1I9FEC871I;VX () 4V5R=FEC97,@1&EV:7-I;VXQ
M)# B! () -5! ,3&U1H87=T92!097)S;VYA;"!&<F5E;6%I;"!#03$K,"D&"2J&
M2(;W#0$)`18<<&5R<V]N86PM9G)E96UA:6Q =&AA=W1E+F-O;3 >%PTY-C Q
M,#$P,# P,#!:%PTR,#$R,S$R,S4Y-3E:,('1,0LP"08#500&$P):03$5,!,&
M`U4$"!,,5V5S=&5R;B!#87!E,1(P$ 8#500'$PE#87!E(%1O=VXQ&C 8! () -5
M! H3$51H87=T92!#;VYS=6QT:6YG,2 () P)@8#500+$Q]#97)T:69I8V%T:6]N
M(%-E<G9I8V5S($1I=FES:6]N,20P(@8#500#$QM4:&%W=&4 () 4&5R<V]N86P@
M1G)E96UA:6P () 0T$Q*S I! () DJADB&]PT!"0$6''!E<G-O;F%L+69R965M86EL
M0'1H87=T92YC;VTP () 9\P#08)*H9(AO<-`0$!!0`# () 8T`,(&)`H&!`-1IU]2P
ME&1;<>E'V Q1MNIRD;"$7GTM#8][$M^%)74H=#I"+&,GGY5[2^]^&8<=ANJC
MW;G.EF0:PA1N1*Q\YH_H30]Q'T XI@"CAWCV^92&7JWJP%YVZ]D4HUUN>GP,
MI4M5?P89*7^>FB;5:KLX) AJF,>QVJ.8D?UYV^5:Q!RY`@,!``&C$S 1, \&
M`U4=$P$!_P0%, ,!`?\P#08)*H9(AO<-`0$$!0`# () 8$`Q^R2?D[X]9:E9V(J
MI/!-$6#0;XU () 6&&L)KM2-5P(SS#[J$J6BA]B0B.,%P_TNF2<%ZQ'*=^=F%[2
M;&!Q7**LW'GCYVX`1Q^U#2CH`IWDFOT3]*;9?+'XW%\C)@F1@'/0%!O>0ZF#
M)?+FG"\5ROZFJXH'=8L,W5&$:^3XT<YWHH$P@@,_,(("J* #` () $"` () $-, T&
M"2J&2(;W#0$!!04`,('1,0LP"08#500&$P):03$5,!,&`U4$"!,,5V5S=&5R
M;B!#87!E,1(P$ 8#500'$PE#87!E(%1O=VXQ&C 8! () -5! H3$51H87=T92!#
M;VYS=6QT:6YG,2 () P)@8#500+$Q]#97)T:69I8V%T:6]N(%-E<G9I8V5S($1I
M=FES:6]N,20P(@8#500#$QM4:&%W=&4 () 4&5R<V]N86P () 1G)E96UA:6P () 0T$Q
M*S I! () DJADB&]PT!"0$6''!E<G-O;F%L+69R965M86EL0'1H87=T92YC;VTP
M'A<-,#,P-S$W,# P,# P6A<-,3,P-S$V,C,U.34Y6C!B,0LP"08#500&$P):
M03$E,",&`U4$"A,<5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D () 3'1D+C$L,"H&
M`U4$`Q,C5&AA=W1E(%!E<G-O;F%L($9R965M86EL($ES<W5I;F<@0T$P () 9\P
M#08)*H9(AO<-`0$!!0`# () 8T`,(&)`H&!`,2F/%5S5?M.N<J96AYHP'4$<)W?
MZ?^C'NR]S?5;\AIVO7\,.F'ROU'.`=3E4 HPUP)C6BR)%7".W<GP*X5:JC]Q
M5LNO/ L'Y_$?D38D*A//*]7S () G<]`[XK_KL8/@>_0( "9->GIKN?9='%*E2%
M#T () $?Z>VT3QA!$ >9!ER8+?[`@,!``&C () 90P@9$P$ () 8#51T3`0'_! @P! () $!
M_P(!`#!#! () -5'1\$/# Z,#B () -J TAC)H='1P.B\O8W)L+G1H87=T92YC;VTO
M5&AA=W1E4&5R<V]N86Q&<F5E;6%I;$-!+F-R;# +! () -5'0\$! ,"`08P*08#
M51T1!"(P(*0>,!PQ&C 8! () -5! ,3$5!R:79A=&5,86)E;#(M,3,X, T&"2J&
M2(;W#0$!!04``X&!`$B,T5"#Z () LNS VC9JQG#W^OK+["%Z%#EI2=?TPAN/@V
M'ZHMGS8OP/0<4""3<#S]K>%A8L/9.AE^A+&9&P#%&@N"=)XE4)1BQ]LG<5<E
MC=VIG#F.C"!/95^5VO?WA];&"$ZN]NHTY1 :6S5-=^-6(7B"W"$9-=XDL=,=
M1O]=7V5/,8(#MS""`[,"`0$P:3!B,0LP"08#500&$P):03$E,",&`U4$"A,<
M5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D () 3'1D+C$L,"H&`U4$`Q,C5&AA=W1E
M(%!E<G-O;F%L($9R965M86EL($ES<W5I;F<@0T$"`P]$"# )! () 4K#@,"&@4`
MH(("(S 8! () DJADB&]PT!"0,Q"P8)*H9(AO<-`0<!,!P&"2J&2(;W#0$)!3$/
M%PTP-3 X,3 P,S(U,C5:,",&"2J&2(;W#0$)!#$6!!14%]NPOUI/<D.Z9]\3
MFG30+7NU!3!E! () LJADB&]PT!"1 "`3%6,%0$'0`````0````>L8N('B5ND:A
MH# () $AT:T*0$`````@ $`,# P+H$L861I='EA+F1E<VAM=6MH0&]N;&EN92YG
M871E=V%Y+G-T<F%N9VQE9"YN970P9P8)*H9(AO<-`0D/,5HP6# *!@@JADB&
M]PT#!S .!@@JADB&]PT#`@("`( P#08(*H9(AO<-`P("`4 P!P8%*PX#`@<P
M#08(*H9(AO<-`P("`2 () P!P8%*PX#`AHP"@8(*H9(AO<-` () 4P> 8)*P8!! &"
M-Q $,6LP:3!B,0LP"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U
M;'1I;F<@*%!T>2D () 3'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E<G-O;F%L($9R
M965M86EL($ES<W5I;F<@0T$"`P]$"#!Z! () LJADB&]PT!"1 ""S%KH&DP8C$+
M, D&`U4$!A,"6D$Q)3 C! () -5! H3'%1H87=T92!#;VYS=6QT:6YG("A0='DI
M($QT9"XQ+# J! () -5! ,3(U1H87=T92!097)S;VYA;"!&<F5E;6%I;"!)<W-U
M:6YG($-!`@,/1 @P#08)*H9(AO<-`0$!!0`$@@$`HJ^ / L]GFS3!S?&((\K
M-PTB:79V5#<_%_A+%J:3`B#N^^BT4G.<@;?&XJI6<7Y56:-3IM2T.=I\2$?"
MS;S8`??OV!))9A[2J?U3_2E'B8'A!QVX#I.M->LB+HJ?P!)?-V:*/I>]:;YS
M::]#H/&O^&,O8GSE837IZ?0(^?&:2IO"X-0:5&._,W!U2WK YJ]-2Q7'#5E(
MD8(A_\%Y[ [<?Y5<>,[XS?<WZI %B @P_$3 $V,<X1(J4_SIM:M9\MI=O)O]
M () *W50@J6)+ () N-9KKBJ=Q*WW^-Y)<*JY4:+KE,0/0RD(,HR;$U0J0GMW9O1:R
6D78>B-TN7=KIWB,UK[<0J ``````````
`
end


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Insecure http pages referencing https form-actions., (continued)
- Re: Insecure http pages referencing https form-actions. Nick FitzGerald (Aug 09)
  - Re: Insecure http pages referencing https form-actions. fd (Aug 09)
    - Re: Insecure http pages referencing https Jeff Kell (Aug 09)
- Message not available
  - Re: Insecure http pages referencing https form-actions. fd () ew nsci us (Aug 09)
    - Message not available
    - Re: Insecure http pages referencing https form-actions. fd () ew nsci us (Aug 10)
- RE: Insecure http pages referencing httpsform-actions. Aditya Deshmukh (Aug 09)
- Re: Insecure http pages referencing https form-actions. Leandro Meiners (Aug 10)
  - Re: Insecure http pages referencing https form-actions. fd (Aug 10)