im not sure if this works, but on the old POP3/HTTP servers, u could enter 1000+ characters for the password and it would overload and get u in there
Printable View
im not sure if this works, but on the old POP3/HTTP servers, u could enter 1000+ characters for the password and it would overload and get u in there
yeah useing the cold fustion software you can do that but the vendors updated that and patched it
yeah, i noticed it still works on AIM though! that should be fixed
yet another nasty ass buffer overflow hole :(
p0rtsniprX -- You said it still works on AIM... I tried it nothing happened... you using an old version of AIM?
One would be thinking that if a vulnerability is so wellknown and yet incredibly simplistic that even the lowest, most useless neophyte knows about it, major companies like hotmail and yahoo would have it patched. Then again what do I know?
Screwed? Hardly.
-Keisha
well, it looks like it work on Aim i tried it tru my Trillian and it went tru.
Sorry, I'm not the type of person to hack hotmail or anything. I'm not lame or I don't try to be 1337..
JRoc - why do you have 3 red boxs again?
papoluca3, how did u get it to work on trillian if it trillian only alowes 16 charcters for its password? A older version? J/w becouse I don't belive this works. I could care less if it works or not, I'm just in a boring class right now, so i felt like posting something.
Do most web broswsers all ow you to have 1000 characters in the password field? limiting the number of characters would fix this bug, wouldn't it?
Not necessarly because on some software if you keep on holding down a key it will have a run 32 error and fill up the buffer
hacking hotmails, wow the hack of the millenium!
Go away l4m3r5!
HOTMAIL IS THE WORLD'S MOST INSECURE E-MAIL SERVICE SINCE MILLIONS ARE USING IT! YAHOO? THEY ARE SOMEHOW LINKED TO MICROSOFT, SO, YAHOO = MICROSOFT = BAD + EVIL
Relying solely on a client's browser to do input format validation is not a good idea: it's VERY easy to send http requests by hand...Quote:
Originally posted here by jcmcb
Do most web broswsers all ow you to have 1000 characters in the password field? limiting the number of characters would fix this bug, wouldn't it?
For example, if a site relies on the max length property of the input tag in html, you could save the html page, edit the input tag to remove the max length and then reload the saved page in your browser, enter the ridiculously long password and boom...
Same applies for sites that use hidden fields to store prices!
(Apparently quite a few still do so... !!)
Ammo
That's one pointless/groundless post if I ever saw one...Quote:
Originally posted here by lawrence171
HOTMAIL IS THE WORLD'S MOST INSECURE E-MAIL SERVICE SINCE MILLIONS ARE USING IT! YAHOO? THEY ARE SOMEHOW LINKED TO MICROSOFT, SO, YAHOO = MICROSOFT = BAD + EVIL
How does being used by millions imply that it's insecure??!
"are somehow linked to Microsoft"... Wow that's some piece of evidence...
Ammo