ssl-login-checkbox faked in Lycos webmail-frontend

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ssl-login-checkbox faked in Lycos webmail-frontend
From: "Fischer, Andreas" <Andreas.Fischer@xxxxxxxxxxxxx>
Date: Thu, 25 Aug 2005 20:14:43 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Lycos Webmail offers a checkbox named "SSL LOGIN" which let you assume a secure 
transfer of your credentials - it's only pretended! Repeatedly sniffs shows 
account and password in cleartext - no https-packet came across...
The interesting part of the relating http-packet:

...
login=dasbinich&hiddenlogin=Nutzername&hiddenpassword=******&password=geheim000&ssl=on
HTTP/1.0 302 Found
Date: Thu, 25 Aug 2005 17:51:48 GMT
Content-Length: 63
Content-Type: text/html
Expires: Fri, 26 Aug 2005 17:51:48 GMT
Cache-Control: max-age=86400, private
Proxy-Connection: keep-alive Server: Apache/1.3.33 (Unix) Resin/2.1.12 
mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.6c

...and so on. Funny, isn't it? Or poor!

Lycos informed in july 27.

greetings - fish

Prev by Date: Re: LeapFTP .lsq Buffer Overflow Vulnerability
Next by Date: Re: unload event in ie/mozilla/opera
Previous by thread: An Illustrated Guide to IPSec
Next by thread: [ GLSA 200508-16 ] Tor: Information disclosure
Index(es):
- Date
- Thread