[NEWS] Hushmail.com Accounts Vulnerable to Script Attack
From: support@securiteam.comDate: 09/19/01
- Previous message: support@securiteam.com: "[NEWS] Bank of America Online Banking Insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Hushmail.com Accounts Vulnerable to Script Attack Message-Id: <20010919201110.ECDDD138C1@mail.der-keiler.de> Date: Wed, 19 Sep 2001 22:11:10 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Hushmail.com Accounts Vulnerable to Script Attack
------------------------------------------------------------------------
SUMMARY
<http://hushmail.com/> Hushmail.com is a web based mail service that
promotes itself as a secure solution. A security vulnerability in the web
service allows attackers to insert HTML tags and JavaScript into existing
pages (emails).
DETAILS
Whenever you login to a Hushmail account, the inbox is opened. If you send
an email with a specially formed "from" field, which usually contains a
name, you can execute JavaScript, VBScript, and other active code on the
computer of the person who logged in. This also works for the "topic"
field.
Vendor status:
The vulnerability has been fixed on 13 September 2001
ADDITIONAL INFORMATION
The information has been provided by
<mailto:onesemicolon@onesemicolon.cjb.net> onesemicolon and
<mailto:sundaydriver@hushmail.com> Brian Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Bank of America Online Banking Insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
