From owner-freebsd-security Thu Sep 23 1:57: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.cai.com (mail1.cai.com [141.202.248.38]) by hub.freebsd.org (Postfix) with ESMTP id B6E5D14E2C for ; Thu, 23 Sep 1999 01:57:03 -0700 (PDT) (envelope-from lodea@vet.com.au) Received: from asmees04.cai.com ([155.35.171.4]) by mail1.cai.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2232.9) id S70RM4X4; Thu, 23 Sep 1999 04:56:00 -0400 Received: from rivendell.mel.cybec.com.au (rivendell.mel.cybec.com.au [203.103.154.61]) by asmees04.cai.com (8.9.2/8.9.2) with ESMTP id SAA09226 for ; Thu, 23 Sep 1999 18:58:52 +1000 (EST) Received: (from lodea@localhost) by rivendell.mel.cybec.com.au (8.9.3/8.9.3) id NAA23882 for security@FreeBSD.ORG; Wed, 1 Sep 1999 13:19:26 +1000 (EST) Date: Wed, 1 Sep 1999 13:19:25 +1000 From: "Lachlan O'Dea" To: security@FreeBSD.ORG Subject: Re: hotmail Message-ID: <19990901131925.A23842@vet.com.au> Mail-Followup-To: security@FreeBSD.ORG References: <37CC959B.9CA5F03A@stlinux.ouhk.edu.hk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: X-Operating-System: FreeBSD 3.1-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 31, 1999 at 08:03:26PM -0700, Kevin Lynn wrote: > Yes.. but chances are it's because of a security hole that wasn't because > of freebsd as slashdot posted something about the security hole being > exploitable via some web page that would let you read other peoples mail. By the time I caught up the this, the exploit appeared to have been fixed, but what I've read indicated that the web pages with the exploit simply perform a GET on the following URL: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=USERNAME&passwd=eh and that you could just type that in your browser, putting in whatever username you want. You then received full access to that user's account. Many people are saying this is a result of Hotmail's use of the Microsoft Passport system. It is designed to allow you to log in to any MSN site without having to re-enter your username and password every time. Well, I guess not requiring a password is one way to achieve that. In any case, it seems that the operating system being used was not a factor at all. -- Lachlan O'Dea Computer Associates Pty Ltd Webmaster Vet - Anti-Virus Software http://www.vet.com.au/ "With our combined strength, we can end this destructive conflict and bring order to the galaxy." - Darth Vader To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message