REPORTING BUG
Deep-Hack
deepali at ctgsecuritysolutions.com
Wed Jun 24 21:11:56 EDT 2015
Dear Sir,
This is Deepali Malekar , Security Researcher. I have found a bug on your
site that i would like to share with you. This bug is related Credentials
are in clear text and it may be harm for your users credentials.
Vulnerability: Clear Text Credential
Vulnerable Link:
https://pidgin.im/cgi-bin/mailman/private/cabal/attachments/20070320/0e2f8078/
Parameter: username and password
POC: I have attached proof of concept as follows:
*STEPS TO REPRODUCED:*
1) Go to the following link
https://pidgin.im/cgi-bin/mailman/private/cabal/attachments/20070320/0e2f8078/
2) Now before write a password open Live HTTP header for capture header
traffic.
3) Now write the username and password and click on submit button.
4) Now check the HTTP LIVE HEADER for header response traffic...
5) You can see in image that it showing password and username in clear text
and it could be harmful when attacker is in MIMA .
I have given enough information i hope you will patch this as soon as.
If you need more details feel free contact me here.
Generally all big company provide reward for security researcher so i am
also hopping same from your end in good faith.
Thanks & Regards
Deepali Malekar
Information Security Consultant
CTG Security Solutions*™*
(Leading IT Security Services & Training Providing Company)
Website: www.ctgsecuritysolutions.com
Skype ID- cyndrela2009
[image: http://ctgsecuritysolutions.com/] <http://ctgsecuritysolutions.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/497d4247/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: step 2.png
Type: image/png
Size: 38059 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/497d4247/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: step 3.png
Type: image/png
Size: 48532 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/497d4247/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cleartext1.png
Type: image/png
Size: 46581 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/497d4247/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: step 4.png
Type: image/png
Size: 35917 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150625/497d4247/attachment-0007.png>
More information about the security
mailing list