[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:....">

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:....">
From: Philip Stoev <phiphi@BGNET.BG>
Date: Wed, 5 Jan 2000 00:29:10 +0200
Reply-To: philip_stoev@iname.com

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

This is not exactly the case.

Hotmail says you do not have JavaScript because you do not have a 'js'
hidden form field set to some value ('yes') by a small JavaScript on
Hotmail's front-door login form. A simple script written in ELZA
(http://phiphi.hypermart.net) will set this one to the correct value and be
able to do anything within Hotmail, without being a JavaScripting host on
its own. If you want to disable JavaScript and still use Hotmail, download
The ELZA and create your own login form that will work without JavaScript.

AFAK Hotmail uses JavaScript for the "Select All Messages" check box and
for the Address Book. Both have nothing to do with authentication.

Philip

> this is a good security hint - but no workaround for hotmail users.
hotmail
> (perhaps only the MS passport service) needs javascript - without it you
> only get the following message:
>
> Sign In Access Error
> JavaScript required. The browser that you are using does not support
> JavaScript, or you may have
> disabled JavaScript.

Prev by Date: [petrilli@digicool.com: [Zope] SECURITY ALERT]
Next by Date: Re: Symlinks and Cryogenic Sleep
Prev by thread: [petrilli@digicool.com: [Zope] SECURITY ALERT]
Next by thread: Security problem with Solstice Backup/Legato Networker recover command
Index(es):
- Date
- Thread