|
Elektrolurch
enthusiast
Registered: 05/01/00
Posts: 307
Loc: Germany
Last seen: 18 years, 11 months
|
Shroomery security concern
#455836 - 11/12/01 09:42 AM (23 years, 3 months ago) |
|
|
Hi,
Some days ago I was taking a look at the cookies in my computer due to a problem to log into the Shroomery. I read the cookie from the Shroomery and couldn't believe, that I was able to read my password. This cookie is send through many computers before it reaches you, and is therefore possibly accesible to other people. I expected that the password would be encripted. You can take a look by yourself:
E.g. for Internet Explorer:
go to the "Internet Options" menu in the Internet Explorer. Under "temporary internet Files" push "preferences" in the next window push "show files". A Explorer showing your "temporary internet" files is displayed. Look for a text file named "wwwthreads" from the URL
"Cookie:name@shroomery.org/wwwthreads" (name is your Windows login name). Open it by pressing Enter. Windows will show a warning message, just go on. A notepad will open and you will see a line with text and numbers. The newline is not interpreted correctly by the notepad, so you may see a block instead of getting a new line. Look for "w3t_mypass" , after that your password is showed unecripted :(
The problem is that if someone knows your password, they can look at your private messages. I have myself got mail addresses through a PM (I deleted these messages) .
I just can say that you shouldn't send mail add. through the Shroomery PM, and you should take care about what you write through a PM. BTW hotmail & yahoo encript the password, this still doesn't mean that they are completelly secure.
I hope to hear some ideas from you about this security hole in the Shroomery.
Elektrolurch
-------------------- "For all the time spent in that room
The doll's house, darkness, old perfume
And fairy stories held me high on
Clouds of sunlight floating by.", Pink Floyd '67
|
Malice
still learning
Registered: 10/22/01
Posts: 69
Last seen: 14 years, 3 months
|
Re: Shroomery security concern [Re: Elektrolurch]
#455888 - 11/12/01 10:59 AM (23 years, 3 months ago) |
|
|
*rofl* i would not call this a security hole... it's just a shame- nothing more.
but what it makes to a hole ist this:
think about it.
more info's:
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=3513
so think about your cookies *muhahahahah*
btw: admins could also modify your cookies - and/or save them. (just logging the outgoing script-generated html site's - nothing special, how jared will agree).
edit: damn the board rewrites my link:
root site:
here
just type in:
www.shroomery.org/wwwthreads/
btw: it is sure crypted by me.... maybe coz i got 128 bit encryption.... on rsa :oP
-------------------- *chill*
Edited by Malice (11/12/01 11:20 AM)
|
Elektrolurch
enthusiast
Registered: 05/01/00
Posts: 307
Loc: Germany
Last seen: 18 years, 11 months
|
Re: Shroomery security concern [Re: Malice]
#456755 - 11/13/01 05:32 AM (23 years, 3 months ago) |
|
|
Thanx for the info...
The first try for the Google thing didn't work, because I was using Konqueror under Linux, but I tried it now with the IE...
Elektrolurch
-------------------- "For all the time spent in that room
The doll's house, darkness, old perfume
And fairy stories held me high on
Clouds of sunlight floating by.", Pink Floyd '67
|
|