Re: Security flaws in Yahoo Mail

Andrew Brown (codewarrior@daemon.org)
Tue, 14 Oct 1997 23:34:39 -0400

>I'm not particularily thrilled with Hotmail's setup either. I am sure
>this must have been discussed before, but can't recall it so...
>
>From what I can tell, it authenticates you based on the URL you ask
>for (some user information is embedded in it; not the password though)
>and the IP address you are coming from. I'm assuming there is some
>timeout on the IP address; hmm... looking further, perhaps not. It may
>just keep the last used one.

heh heh. i think this just "happened" to my web server. i amuse
myself by reading the logs and wondering about most of the hits and
referrals. then this one struck me:

http://207.82.250.251/cgi-bin/getmsg?disk=207.82.250.103_d7&login=fofer&f=33795&curmbox=ilmrr&msg=MSG876680194.0&start=39557&len=913

i found it amusing. so i dug a little deeper and concluded that it
was this hit in my access log.

200.23.241.120 - - [12/Oct/1997:23:29:43 -0400] "GET / HTTP/1.0" 200 1717

now then, 200.23.241.120 maps to gdl1_b_120.uninet.net.mx (i have no
idea why it didn't two nights ago when my web server tried to look it
up), and 207.82.250.251 is an address for www.hotmail.com.

anyway, when i tried to access the url from the referers log, i got a
page that said:

We're Sorry, We Cannot
Process Your Request

Reason: Intrusion Logged. Access denied.

so apparently i'm an "intruder". ooh! i'm scared!

--
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."