Re: User Editor Page and clear text passwords

But you don't need to capture a password to do that. All you need is to capture a cookie. And considering this site isn't using HTTPS, capturing cookies is as hard as capturing a password.

Abigail

Comment on Re: User Editor Page and clear text passwords

Replies are listed 'Best First'.
Re: Re: User Editor Page and clear text passwords by exussum0 (Vicar) on Feb 15, 2004 at 23:21 UTC
Considering that a lot of people use JS in their browswers... 1. Copy the cookie value of perlmonks.org to another cookie for mycustomserver.com 2. Post a cute link or something and have the victim visit it at SOME time, either via cb, a node or something. 3. On mycustomserver.com, have your home page capture the cookie and write it somewhere. Then its a matter of reusing that cookie. As for passwords, I haven't played much with iframes, js and capturing form fields yet, but I wouldn't be surprised if something can't be concocted. Just some thoughts on your comment. And what BUU is pointing out, is if someone does hack the server and gets all passwords, the site becomes useless, and everyone has to start over. Play that funky music white boy..	[reply]
Re: Re: Re: User Editor Page and clear text passwords by Anonymous Monk on Feb 16, 2004 at 07:18 UTC
JS don't mean much. JUST AVOID HOMENODES and you'll be fine.	[reply]