Bugtraq mailing list archives
Sprint PCS vulnerable to malicious tags
From: shrub () YAHOO COM (Paul Schreiber)
Date: Fri, 4 Feb 2000 19:22:31 -0000
I'm sure you're all familiar with the CERT advisory: http://www.cert.org/advisories/CA-2000-02.html Sprint PCS's web site is vulnerable to this flaw. Any text you enter into the customer care area is subsequently displayed verbatim on a web page: https://www.sprintpcs.com/manage/myaccount.asp To access that page, you must have a sprint PCS account and password. As soon as you post your question, it will appear in your case history -- HTML and all. At this point in time, it is unclear whether Sprint PCS customer service representatives use a web browser to respond to these questions. If this is the case, clever hackers could exploit this vulnerability to gain sensitive information about Sprint PCS, possibly including confidential customer information. There is a similar form for non-customers at: https://www.sprintpcs.com/learn/form_public_question.asp You don't get to see the results yourself, but, again, if Sprint PCS reps use a web browser, their systems could be compromised. Paul
Current thread:
- Re: Novell BorderManager 3.5 Remote Slow Death, (continued)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)
- Re: Bypass Virus Checking Nick FitzGerald (Feb 03)
- Zeus Web Server: Null Terminated Strings Julian Midgley (Feb 08)
- Re: Bypass Virus Checking Paul L Schmehl (Feb 08)