Security Basics mailing list archives

RE: Clear text password vulnerability

From: "Ken Hamaker" <KHamaker () simplyfashions com>
Date: Mon, 14 Feb 2005 14:10:00 -0600

Actually this behavior is well documented and is easily cured by
implementing SSL on the web Mail server. Sites that do not offer SSL
should be avoided if possible and you should definitely not pass
sensitive material through an insecure site...hope this helps

Thank you very much,
 
Ken Hamaker


-----Original Message-----
From: Harshil Parikh [mailto:harshil1110 () gmail com] 
Sent: Monday, February 14, 2005 9:17 AM
To: security-basics () securityfocus com
Subject: Clear text password vulnerability


Hi,
  I've been using a web based mail service for sometime. Yesterday I was
trying to figure out how the packet exchange occurs between the client
and the server by sniffing it. I wanted to know the forking off to
different servers for authentication purposes. However, I noticed that
the client side would send the password in clear text along with the
username. It uses a POST method for this. I think this is a big
vulnerability in the mail service. I wanted your opinion if I should
term this as a vulnerability or not and whether there is an exploit for
this or not. Also one of my friend adviced me to try and charge money
for figuring out this vulnerability. Should I go ahead with contacting
the sys admin for that ? also is there an exploit that i can point out
to the admin that can be used against them... As far as i know..this
clear text pwd can be exploited only for the = users in same LAN. Is
there any thing else that I can point out to the admin 

Thanks,
Harshil Parikh


--------------------------------------------------------------------------------

This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal 
rules. 
If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy 
this - 
message or disclose its contents to anyone. 

The contents of this message was sent by Ken Hamaker (KHamaker () simplyfashions com) on 14/2/2005 to harshil1110 () 
gmail com and may not reflect the -
opinion in whole or part of Simply Fashion Stores, Ltd.

Current thread:

Clear text password vulnerability Harshil Parikh (Feb 14)
- Re: Clear text password vulnerability Twofish -lists (Feb 14)
- Re: Clear text password vulnerability Kevin Conaway (Feb 14)
- Re: Clear text password vulnerability Gautam R. Singh (Feb 15)
- <Possible follow-ups>
- RE: Clear text password vulnerability Ken Hamaker (Feb 14)
- RE: Clear text password vulnerability adisegna (Feb 14)