|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Smith (sundaydriver
hushmail.com)Date: Thu Sep 13 2001 - 10:57:15 CDT
The vulnerability has been fixed. We have no record
of a notification on September 5th, or we certainly
would have fixed this earlier. It was a very
straightforward issue involving a failure to use the
htmlspecialchars() PHP function in that area of the
code. It is our general practice to always use this
method when displaying information using PHP in
order to avoid such scripting vulnerabilities, and we
regret the unfortunate oversight.
Many thanks to 1; and everyone else who has helped
us keep HushMail secure in the past.
Brian Smith
Vice President, Engineering
Hush Communications
brian.smithhush.com
> TOPIC: Hushmail.com accounts vulnerable to
script attack.
> ADVISORY NR: 200102
> DATE: 12-09-01
> VULNERABILITY FOUND AND WRITTEN BY: 1;
(One Semicolon)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]