[10875] in bugtraq
M1 website vulnerable
daemon@ATHENA.MIT.EDU (Spy eye)
Tue Jun 22 12:14:51 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <199906211109.HAA12775@netspace.org>
Date: Mon, 21 Jun 1999 07:07:45 -0400
Reply-To: Spy eye <eye@MAILANDNEWS.COM>
From: Spy eye <eye@MAILANDNEWS.COM>
To: BUGTRAQ@NETSPACE.ORG
https (http over ssl) is to provide secure connection, but for this website,
they are exposing their cgi scripts through https. The worst part of it is
their password checking scripts can be obtained. Bugs in the scripts maybe
exploited or loopholes in the password checking mechanism may be found.
M1 main page - http://www.m1.com.sg
CGI-script exposure:
https://www.m1.com.sg/m1/m1link/index.pl
https://www.m1.com.sg/m1/m1link/Include/match.pl
and possibly others.
Solution:
Reconfigure https server for proper operation.
Note:
I have given notice to M1 a few days back, but nothing has been done.
