[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ssl-login-checkbox faked in Lycos webmail-frontend

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ssl-login-checkbox faked in Lycos webmail-frontend
From: "Fischer, Andreas" <Andreas.Fischer@xxxxxxxxxxxxx>
Date: Thu, 25 Aug 2005 20:14:43 +0200

Lycos Webmail offers a checkbox named "SSL LOGIN" which let you assume a secure 
transfer of your credentials - it's only pretended! Repeatedly sniffs shows 
account and password in cleartext - no https-packet came across...
The interesting part of the relating http-packet:

...
login=dasbinich&hiddenlogin=Nutzername&hiddenpassword=******&password=geheim000&ssl=on
HTTP/1.0 302 Found
Date: Thu, 25 Aug 2005 17:51:48 GMT
Content-Length: 63
Content-Type: text/html
Expires: Fri, 26 Aug 2005 17:51:48 GMT
Cache-Control: max-age=86400, private
Proxy-Connection: keep-alive Server: Apache/1.3.33 (Unix) Resin/2.1.12 
mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c

...and so on. Funny, isn't it? Or poor!

Lycos informed in july 27.

greetings - fish

Prev by Date: Re: LeapFTP .lsq Buffer Overflow Vulnerability
Next by Date: Re: unload event in ie/mozilla/opera
Previous by thread: [ GLSA 200508-16 ] Tor: Information disclosure
Next by thread: Tool Announcement: AIRT -- the Advanced Incident Response Tool 0.4.2 released
Index(es):
- Date
- Thread