Bugtraq mailing list archives
Re: Security flaws in Yahoo Mail
From: codewarrior () daemon org (Andrew Brown)
Date: Tue, 14 Oct 1997 23:34:39 -0400
I'm not particularily thrilled with Hotmail's setup either. I am sure this must have been discussed before, but can't recall it so... From what I can tell, it authenticates you based on the URL you ask for (some user information is embedded in it; not the password though) and the IP address you are coming from. I'm assuming there is some timeout on the IP address; hmm... looking further, perhaps not. It may just keep the last used one.
heh heh. i think this just "happened" to my web server. i amuse myself by reading the logs and wondering about most of the hits and referrals. then this one struck me: http://207.82.250.251/cgi-bin/getmsg?disk=207.82.250.103_d7&login=fofer&f=33795&curmbox=ilmrr&msg=MSG876680194.0&start=39557&len=913 i found it amusing. so i dug a little deeper and concluded that it was this hit in my access log. 200.23.241.120 - - [12/Oct/1997:23:29:43 -0400] "GET / HTTP/1.0" 200 1717 now then, 200.23.241.120 maps to gdl1_b_120.uninet.net.mx (i have no idea why it didn't two nights ago when my web server tried to look it up), and 207.82.250.251 is an address for www.hotmail.com. anyway, when i tried to access the url from the referers log, i got a page that said: We're Sorry, We Cannot Process Your Request Reason: Intrusion Logged. Access denied. so apparently i'm an "intruder". ooh! i'm scared! -- |-----< "CODE WARRIOR" >-----| andrew () echonyc com (TheMan) * "ah! i see you have the internet codewarrior () daemon org that goes *ping*!" warfare () graffiti com * "information is power -- share the wealth."
Current thread:
- Security flaws in Yahoo Mail andrew shieh (Oct 12)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)
- Re: Security flaws in Yahoo Mail Andrew Brown (Oct 14)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)