Bugtraq mailing list archives

Re: Hushmail.com accounts vulnerable to script attack.

From: Brian Smith <sundaydriver () hushmail com>
Date: 13 Sep 2001 15:57:15 -0000

The vulnerability has been fixed.  We have no record 
of a notification on September 5th, or we certainly 
would have fixed this earlier.  It was a very 
straightforward issue involving a failure to use the 
htmlspecialchars() PHP function in that area of the 
code.  It is our general practice to always use this 
method when displaying information using PHP in 
order to avoid such scripting vulnerabilities, and we 
regret the unfortunate oversight.

Many thanks to 1; and everyone else who has helped 
us keep HushMail secure in the past.

Brian Smith
Vice President, Engineering
Hush Communications
brian.smith () hush com

TOPIC: Hushmail.com accounts vulnerable to

script attack.

ADVISORY NR: 200102
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1;

(One Semicolon)

Current thread:

Hushmail.com accounts vulnerable to script attack. onesemicolon (Sep 12)
- <Possible follow-ups>
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 13)
  - Re: Hushmail.com accounts vulnerable to script attack. Friday Germany (Sep 14)
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 18)