Date: Wed, 1 Sep 1999 13:19:25 +1000 From: "Lachlan O'Dea" <lodea@vet.com.au> To: security@FreeBSD.ORG Subject: Re: hotmail Message-ID: <19990901131925.A23842@vet.com.au> In-Reply-To: <Pine.BSF.4.10.9908312002030.472-100000@noc.santacruz.org> References: <37CC959B.9CA5F03A@stlinux.ouhk.edu.hk> <Pine.BSF.4.10.9908312002030.472-100000@noc.santacruz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 31, 1999 at 08:03:26PM -0700, Kevin Lynn wrote: > Yes.. but chances are it's because of a security hole that wasn't because > of freebsd as slashdot posted something about the security hole being > exploitable via some web page that would let you read other peoples mail. By the time I caught up the this, the exploit appeared to have been fixed, but what I've read indicated that the web pages with the exploit simply perform a GET on the following URL: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=USERNAME&passwd=eh and that you could just type that in your browser, putting in whatever username you want. You then received full access to that user's account. Many people are saying this is a result of Hotmail's use of the Microsoft Passport system. It is designed to allow you to log in to any MSN site without having to re-enter your username and password every time. Well, I guess not requiring a password is one way to achieve that. In any case, it seems that the operating system being used was not a factor at all. -- Lachlan O'Dea <mailto:lodea@vet.com.au> Computer Associates Pty Ltd Webmaster Vet - Anti-Virus Software http://www.vet.com.au/ "With our combined strength, we can end this destructive conflict and bring order to the galaxy." - Darth Vader To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990901131925.A23842>