|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Sprint PCS vulnerable to malicious tags
From: Paul Schreiber (shrub
YAHOO.COM)Date: Fri Feb 04 2000 - 13:22:31 CST
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-004)"
- Previous message: Marc Slemko: "Re: Fwd: CERT Advisory CA-2000-02"
- Next in thread: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"
- Reply: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm sure you're all familiar with the CERT advisory:
http://www.cert.org/advisories/CA-2000-02.html
Sprint PCS's web site is vulnerable to this flaw. Any text
you enter into the customer care area is subsequently
displayed verbatim on a web page:
https://www.sprintpcs.com/manage/myaccount.asp
To access that page, you must have a sprint PCS account and
password. As soon as you post your question, it will appear
in your case history -- HTML and all.
At this point in time, it is unclear whether Sprint PCS
customer service representatives use a web browser to
respond to these questions. If this is the case, clever
hackers could exploit this vulnerability to gain sensitive
information about Sprint PCS, possibly including
confidential customer information.
There is a similar form for non-customers at:
https://www.sprintpcs.com/learn/form_public_question.asp
You don't get to see the results yourself, but, again, if
Sprint PCS reps use a web browser, their systems could be
compromised.
Paul
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-004)"
- Previous message: Marc Slemko: "Re: Fwd: CERT Advisory CA-2000-02"
- Next in thread: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"
- Reply: James Seymour: "Re: Sprint PCS vulnerable to malicious tags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]