|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Keith Dallara (dallara
mail.com)Date: Fri Jan 04 2002 - 09:18:17 CST
This problem was fixed this morning.
Keith Dallara
Director, E-Mail Product Management
dallaramail.com
-----Original Message-----
From: Digital Shadow [mailto:dshadowwhoever.com]
Sent: Thursday, January 03, 2002 12:16 PM
To: mailsupportstaff.mail.com
Cc: bugtraqsecurityfocus.com
Subject: Mail.com Cross Site Scripting Vulnerability
----------------------------------------------
Mail.com Cross Site Scripting Vulnerability
Ministry-of-Peace - www.ministryofpeace.co.uk
----------------------------------------------
SYNOPSIS
Mail.com offers free webmail services, which are used
by tens of thousands of people around the world.
The site suffers from a CSS vulnerability, giving a
malicious user the ability to view the site cookies of
any user currently logged in.
IMPACT
If a malicious user can get the mail.com user to follow
a simple link, then they can grab that users mail.com
cookies and possibly use them to authenticate as that
user.
WORKING EXAMPLE
Log into your mail.com account, and then go to:
CREDITS
Vulnerability discovered by Digital Shadow.
INFO
Security Advisory #03
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
1 cent a minute calls anywhere in the U.S.!
http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
1 cent a minute calls anywhere in the U.S.!
http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com
http://mymail.mail.com/scripts/common/forgotpasswd.cgi?login=
ment.writeln(document.cookie)</scripts --></p>
Published: 03rd January 2002
--