Bugtraq mailing list archives
Mail.com Cross Site Scripting Vulnerability
From: "Keith Dallara" <dallara () mail com>
Date: Fri, 04 Jan 2002 23:18:17 +0800
This problem was fixed this morning. Keith Dallara Director, E-Mail Product Management dallara () mail com -----Original Message----- From: Digital Shadow [mailto:dshadow () whoever com] Sent: Thursday, January 03, 2002 12:16 PM To: mailsupport () staff mail com Cc: bugtraq () securityfocus com Subject: Mail.com Cross Site Scripting Vulnerability ---------------------------------------------- Mail.com Cross Site Scripting Vulnerability Ministry-of-Peace - www.ministryofpeace.co.uk ---------------------------------------------- SYNOPSIS Mail.com offers free webmail services, which are used by tens of thousands of people around the world. The site suffers from a CSS vulnerability, giving a malicious user the ability to view the site cookies of any user currently logged in. IMPACT If a malicious user can get the mail.com user to follow a simple link, then they can grab that users mail.com cookies and possibly use them to authenticate as that user. WORKING EXAMPLE Log into your mail.com account, and then go to: http://mymail.mail.com/scripts/common/forgotpasswd.cgi?login=<p><!-- scripts>docu ment.writeln(document.cookie)</scripts --></p> CREDITS Vulnerability discovered by Digital Shadow. INFO Security Advisory #03 Published: 03rd January 2002 -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com
Current thread:
- Mail.com Cross Site Scripting Vulnerability Digital Shadow (Jan 03)
- <Possible follow-ups>
- Mail.com Cross Site Scripting Vulnerability Keith Dallara (Jan 04)