[22639] in bugtraq
Re: Hushmail.com accounts vulnerable to script attack.
daemon@ATHENA.MIT.EDU (Brian Smith)
Thu Sep 13 12:15:18 2001
Date: 13 Sep 2001 15:57:15 -0000
Message-ID: <20010913155715.5850.qmail@securityfocus.com>
From: Brian Smith <sundaydriver@hushmail.com>
To: bugtraq@securityfocus.com
The vulnerability has been fixed. We have no record
of a notification on September 5th, or we certainly
would have fixed this earlier. It was a very
straightforward issue involving a failure to use the
htmlspecialchars() PHP function in that area of the
code. It is our general practice to always use this
method when displaying information using PHP in
order to avoid such scripting vulnerabilities, and we
regret the unfortunate oversight.
Many thanks to 1; and everyone else who has helped
us keep HushMail secure in the past.
Brian Smith
Vice President, Engineering
Hush Communications
brian.smith@hush.com
> TOPIC: Hushmail.com accounts vulnerable to
script attack.
> ADVISORY NR: 200102
> DATE: 12-09-01
> VULNERABILITY FOUND AND WRITTEN BY: 1;
(One Semicolon)
