Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ssl-login-checkbox faked in Lycos webmail-frontend

from [Fischer, Andreas] Network Security [Permanent Link]
Subject: ssl-login-checkbox faked in Lycos webmail-frontend
Date: Thu, 25 Aug 2005 20:14:43 +0200 
Lycos Webmail offers a checkbox named "SSL LOGIN" which let you assume a secure 
transfer of your credentials - it's only pretended! Repeatedly sniffs shows 
account and password in cleartext - no https-packet came across...
The interesting part of the relating http-packet:

...
login=dasbinich&hiddenlogin=Nutzername&hiddenpassword=******&password=geheim000&ssl=on
HTTP/1.0 302 Found
Date: Thu, 25 Aug 2005 17:51:48 GMT
Content-Length: 63
Content-Type: text/html
Expires: Fri, 26 Aug 2005 17:51:48 GMT
Cache-Control: max-age=86400, private
Proxy-Connection: keep-alive Server: Apache/1.3.33 (Unix) Resin/2.1.12 
mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c

...and so on. Funny, isn't it? Or poor!

Lycos informed in july 27.

greetings - fish
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • ssl-login-checkbox faked in Lycos webmail-frontend, Fischer, Andreas <=
Previous by Date:  Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection, devfreedom
Next by Date:  Re: LeapFTP .lsq Buffer Overflow Vulnerability, Kaveh Razavi
Previous by Thread:  An Illustrated Guide to IPSec, Steve Friedl
Next by Thread:  Tool Announcement: AIRT -- the Advanced Incident Response Tool 0.4.2 released, madsys
Indexes:  [Date] [Thread] [Top] [All Lists]