Re: [Full-disclosure] Insecure http pages referencing https form-actions.

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 08/10/05

Next message: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."

Previous message: Alessandro Amici: "[Full-disclosure] Re: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation"
In reply to: fd_at_ew.nsci.us: "[Full-disclosure] Insecure http pages referencing https form-actions."
Next in thread: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
Reply: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Aug 2005 13:25:20 +1200
To: full-disclosure@lists.grok.org.uk

fd@ew.nsci.us wrote:

> Today I realized that many "secured" web sites reference their secure
> login page from an insecure page. For example:
>
> http://www.some-luser.com/login.html:
> <form action="https://cgi.some-luser.com/login-cgi">
> user: <input name=user>
> pass: <input name=pass>
> </form>

Welcome to, ohhh, 1997???

I can't be bothered looking it up, but this is ancient.

Of course, that it still happens really, often, on huge sites that
really should know better says a lot about, well, many things really...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."

Previous message: Alessandro Amici: "[Full-disclosure] Re: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation"
In reply to: fd_at_ew.nsci.us: "[Full-disclosure] Insecure http pages referencing https form-actions."
Next in thread: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
Reply: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Connect to SQL Server
... MS-SQL db and invited anyone who claimed this was insecure ... to login and create a table named after himself or herself. ... Almost all server sites will shut down anyone who tries a brute force ... Server port 1433 on their firewall (of course after properly ...
(comp.databases.ms-access)
Re: Telnet not working remotely
... Telnet and ftp are insecure, and are not loaded/enabled during normal installs. ... login id and password is passed as clear text and can ...
(comp.os.linux.setup)
Re: rsh && IMAP server
... and tried the advice listed there, but Pine is determined to use INSECURE to login to the mail server. ...
(comp.mail.pine)
RE: Password communication
... Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp password, he/she will just change that to something else upon login. ... Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than trying to explain why their password can't be "MONDAY" etc ... Subject: Password communication ... I don't agree that the phone is insecure. ...
(Security-Basics)