Re: Security flaws in Yahoo Mail

[codewarrior () daemon org (Andrew Brown)]

> I'm not particularily thrilled with Hotmail's setup either.  I am sure
> this must have been discussed before, but can't recall it so...
>
> From what I can tell, it authenticates you based on the URL you ask
> for (some user information is embedded in it; not the password though)
> and the IP address you are coming from.  I'm assuming there is some
> timeout on the IP address; hmm... looking further, perhaps not.  It may
> just keep the last used one.

heh heh.  i think this just "happened" to my web server.  i amuse
myself by reading the logs and wondering about most of the hits and
referrals.  then this one struck me:

        
http://207.82.250.251/cgi-bin/getmsg?disk=207.82.250.103_d7&login=fofer&f=33795&curmbox=ilmrr&msg=MSG876680194.0&start=39557&len=913

i found it amusing.  so i dug a little deeper and concluded that it
was this hit in my access log.

        200.23.241.120 - - [12/Oct/1997:23:29:43 -0400] "GET / HTTP/1.0" 200 1717

now then, 200.23.241.120 maps to gdl1_b_120.uninet.net.mx (i have no
idea why it didn't two nights ago when my web server tried to look it
up), and 207.82.250.251 is an address for www.hotmail.com.

anyway, when i tried to access the url from the referers log, i got a
page that said:

        We're Sorry, We Cannot
        Process Your Request

        Reason:   Intrusion Logged. Access denied.

so apparently i'm an "intruder".  ooh!  i'm scared!

--
|-----< "CODE WARRIOR" >-----|
andrew () echonyc com (TheMan)        * "ah!  i see you have the internet
codewarrior () daemon org                               that goes *ping*!"
warfare () graffiti com      * "information is power -- share the wealth."