Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] MSN Plus Password Change Security Bypass Vulnerability
From: m0fo (editorsec.org.il)
Date: Sat Nov 05 2005 - 11:34:14 CST
MSN Plus Password Change Security Bypass Vulnerability
publisher: m0fo (editor at sec.org.il)
vendor: www.msgplus.net <http://www.msgplus.net/>
Msn Plus! is additional aplication for MSN Messenger. This application
adding a lot of new options into the MSN Messenger so it will be easier to
use it. One of the application's option is to set a password witch lock the
application, lock the logs, etc. its easy to set password for this, but its
much easier to change it, while someone trying to change password that
already set, he doesnt need to fill in the old password, this may cause a
malicious user to take control over the application, maybe reading your
talks, locking your MSN, etc.
all versions of that MSN Plus! are vulnerable to this flow, my advice is not
to use it.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/