Re: [Full-disclosure] Insecure http pages referencing https form-actions.

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 08/10/05

  • Next message: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."
    Date: Wed, 10 Aug 2005 13:25:20 +1200
    To: full-disclosure@lists.grok.org.uk
    
    

    fd@ew.nsci.us wrote:

    > Today I realized that many "secured" web sites reference their secure
    > login page from an insecure page. For example:
    >
    > http://www.some-luser.com/login.html:
    > <form action="https://cgi.some-luser.com/login-cgi">
    > user: <input name=user>
    > pass: <input name=pass>
    > </form>

    Welcome to, ohhh, 1997???

    I can't be bothered looking it up, but this is ancient.

    Of course, that it still happens really, often, on huge sites that
    really should know better says a lot about, well, many things really...

    Regards,

    Nick FitzGerald

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: fd_at_ew.nsci.us: "Re: [Full-disclosure] Insecure http pages referencing https form-actions."

    Relevant Pages

    • Re: Connect to SQL Server
      ... MS-SQL db and invited anyone who claimed this was insecure ... to login and create a table named after himself or herself. ... Almost all server sites will shut down anyone who tries a brute force ... Server port 1433 on their firewall (of course after properly ...
      (comp.databases.ms-access)
    • Re: Telnet not working remotely
      ... Telnet and ftp are insecure, and are not loaded/enabled during normal installs. ... login id and password is passed as clear text and can ...
      (comp.os.linux.setup)
    • Re: rsh && IMAP server
      ... and tried the advice listed there, but Pine is determined to use INSECURE to login to the mail server. ...
      (comp.mail.pine)
    • RE: Password communication
      ... Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp password, he/she will just change that to something else upon login. ... Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than trying to explain why their password can't be "MONDAY" etc ... Subject: Password communication ... I don't agree that the phone is insecure. ...
      (Security-Basics)