Re: Hushmail.com accounts vulnerable to script attack.

From: Brian Smith (sundaydriverat_private)
Date: Thu Sep 13 2001 - 08:57:15 PDT

Next message: Mariusz Woloszyn: "Re: Is there user Anna at your host ?"

Previous message: Valentin Butanescu: "leak of information in counterpane/Bruce Schneier's Password Safe program"
Maybe in reply to: onesemicolonat_private: "Hushmail.com accounts vulnerable to script attack."
Next in thread: Friday Germany: "Re: Hushmail.com accounts vulnerable to script attack."
Reply: Friday Germany: "Re: Hushmail.com accounts vulnerable to script attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The vulnerability has been fixed.  We have no record 
of a notification on September 5th, or we certainly 
would have fixed this earlier.  It was a very 
straightforward issue involving a failure to use the 
htmlspecialchars() PHP function in that area of the 
code.  It is our general practice to always use this 
method when displaying information using PHP in 
order to avoid such scripting vulnerabilities, and we 
regret the unfortunate oversight.

Many thanks to 1; and everyone else who has helped 
us keep HushMail secure in the past.

Brian Smith
Vice President, Engineering
Hush Communications
brian.smithat_private

> TOPIC: Hushmail.com accounts vulnerable to 
script attack.
> ADVISORY NR: 200102
> DATE: 12-09-01
> VULNERABILITY FOUND AND WRITTEN BY: 1; 
(One Semicolon)

Next message: Mariusz Woloszyn: "Re: Is there user Anna at your host ?"
Previous message: Valentin Butanescu: "leak of information in counterpane/Bruce Schneier's Password Safe program"
Maybe in reply to: onesemicolonat_private: "Hushmail.com accounts vulnerable to script attack."
Next in thread: Friday Germany: "Re: Hushmail.com accounts vulnerable to script attack."
Reply: Friday Germany: "Re: Hushmail.com accounts vulnerable to script attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 10:19:11 PDT