https (http over ssl) is to provide secure connection, but for this website, they are exposing their cgi scripts through https. The worst part of it is their password checking scripts can be obtained. Bugs in the scripts maybe exploited or loopholes in the password checking mechanism may be found. M1 main page - http://www.m1.com.sg CGI-script exposure: https://www.m1.com.sg/m1/m1link/index.pl https://www.m1.com.sg/m1/m1link/Include/match.pl and possibly others. Solution: Reconfigure https server for proper operation. Note: I have given notice to M1 a few days back, but nothing has been done.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:16 PDT