Full Disclosure mailing list archives
Re: Brazilian Bank (Caixa Economica Federal) vuln
From: "H2G-Labs Information Security" <h2glabs.infosec () gmail com>
Date: Fri, 20 Jun 2008 10:11:27 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi folks, some brazilian banks has implementing a system based in computer identification (like a PC register). The system have some vulns and can be easily exploited. I am trying to contact the Caixa Economica Federal (http://www.caixa.gov.br) without success. If the attacker have the USERNAME and the PASSWORD of the user account, the attacker can log in on the bank account without identify the computer. To this, after enter the USERNAME and PASSWORD of account, pute the code in browser (in agree terms page): javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0); And you will be logged in, without need register/identify you machine. I hope the CAIXA team solve this problem hurry. Sorry to my bad english, I am brazilian. Regards...
This vulnerability has patched! Regards... - -- H2G-Labs Information Security Igor Marcel - Information Security Consultant H2GLabs.InfoSec "at" Gmail.com -----BEGIN PGP SIGNATURE----- Version: GnuPG (PRIVATE) Comment: H2G-Labs Information Security iQIVAwUBSFustsJBTfehHgWwAQpEhA/9HPOOC/fiUY4jmDcBWeSfMK6OEyRLkQtM pwpnKksGkptrs8u8PvtfvEhcLEAeegNlVQdGsaZ9I/KgSyRR/b65KhWYXu5jITPW 3DWli+EhEV3O1N0BVDcmID8T8FO2Xi7DhKU5ii4gBqU0idyQTqQY+Jt+NwhcC0p2 /V831nhalXP7R8ApNradIuLCiWo/6rs6dOUo1wONfk4b03cEZhg5XzUyMM+xwiG2 UAHfG1L1aGNJhLZLIh03dGDjJ/83L+cax7jcRTU74W+yxj0oE+972KzdNXJE6RWi 4fZi88BlqZSPb4f1fVfTPVEPOdZ5VcT7LJS++LfjCtnoa+NjsgPOzxmq5QDsuCbh bJAAlcR8ESZxfFAiQisXJTlKx4xEkGvI9r5jyEE60Lg9mc9SubCr/c71AOSDJ1H0 1b7ZzWGqE5xkYe8Z4By7Ktvl+4aAcR1fMaDMrsJnrqq5hkDNMIG5pCGu9bGD2mRd V9MljIDnkrhxJMha76I4/86E/FYBjUppEdLHLMRpW+2pQEyEURKAI+vUiCrwrl5t OeH4x3JBJwUUCL2Z+dXVJaPL0oK4Mys39PRrSiaNWuohqopkmkxrelfeZQVFEe9P ZawC/fwk2x4vL2zJ/Uaq0Aza6OxvSYtcnX2TIN3n0qUmhcaAp3M6J896oFYBoEhS pRY51whrUxU= =lKdg -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 19)
- <Possible follow-ups>
- Re: Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 20)