Re: [Full-disclosure] Insecure http pages referencing https form-actions.

From: Nick FitzGerald (
Date: 08/10/05

  • Next message: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
    Date: Wed, 10 Aug 2005 13:25:20 +1200

    > Today I realized that many "secured" web sites reference their secure
    > login page from an insecure page. For example:
    > <form action="">
    > user: <input name=user>
    > pass: <input name=pass>
    > </form>

    Welcome to, ohhh, 1997???

    I can't be bothered looking it up, but this is ancient.

    Of course, that it still happens really, often, on huge sites that
    really should know better says a lot about, well, many things really...


    Nick FitzGerald

    Full-Disclosure - We believe in it.
    Hosted and sponsored by Secunia -

  • Next message: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."

    Relevant Pages

    • Re: Connect to SQL Server
      ... MS-SQL db and invited anyone who claimed this was insecure ... to login and create a table named after himself or herself. ... Almost all server sites will shut down anyone who tries a brute force ... Server port 1433 on their firewall (of course after properly ...
    • Re: Telnet not working remotely
      ... Telnet and ftp are insecure, and are not loaded/enabled during normal installs. ... login id and password is passed as clear text and can ...
    • Re: rsh && IMAP server
      ... and tried the advice listed there, but Pine is determined to use INSECURE to login to the mail server. ...
    • RE: Password communication
      ... Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp password, he/she will just change that to something else upon login. ... Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than trying to explain why their password can't be "MONDAY" etc ... Subject: Password communication ... I don't agree that the phone is insecure. ...