- Back to Home »
- Plain Text Password Disclosure vulnerability in rediff mail
Dear all
is it a good mail?what do you feel guys?.It doesn't encrypting your
passwords
POST /cgi-bin/login.cgi HTTP/1.1
Host: mail.rediff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3)
Gecko/20090824 Firefox/3.5.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.rediff.com/
Cookie: RuW=1252586041360329; RsW=IND;
RLOC=%5F%5FeZMqPfDceMg%5F%5F4P6Xdf5DkD2%5F%5FtHonjGX8AnI%5F%5Find%5F%5F;
Rt=%3D%3DAMwAjN3czN; accounttype=77;
Rp=g%3D2%26a%3D24%26c%3D08%26s%3D29%26cn%3D099%26z%3D123456%26p%3D034%26e%3D05%26d%3D_04%26i%3D_35_%26dor%3D20060220%26mi%3D3;
RMID=7c7dc92f4aa8f200; RMFS=011MljEWU107fl; app_lang=; ckey=70795
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
login=evil.devil&passwd=*devil.evil*&remember=1&FormName=existing
Regards
kalyan
Full disclosure:http://seclists.org/fulldisclosure/2009/Sep/85