Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:....">

Subject: Re: Hotmail security hole - injecting JavaScript using
From: Philip Stoev (phiphiBGNET.BG)
Date: Tue Jan 04 2000 - 16:29:10 CST

• Next message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"
• Previous message: Edwin Gonzalez: "Re: Hotmail security hole - injecting JavaScript using <IMG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not exactly the case.

Hotmail says you do not have JavaScript because you do not have a 'js'
hidden form field set to some value ('yes') by a small JavaScript on
Hotmail's front-door login form. A simple script written in ELZA
(http://phiphi.hypermart.net) will set this one to the correct value and be
able to do anything within Hotmail, without being a JavaScripting host on
its own. If you want to disable JavaScript and still use Hotmail, download
The ELZA and create your own login form that will work without JavaScript.

AFAK Hotmail uses JavaScript for the "Select All Messages" check box and
for the Address Book. Both have nothing to do with authentication.

Philip

> this is a good security hint - but no workaround for hotmail users.
hotmail
> (perhaps only the MS passport service) needs javascript - without it you
> only get the following message:
>
> Sign In Access Error
> JavaScript required. The browser that you are using does not support
> JavaScript, or you may have
> disabled JavaScript.

• Next message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"
• Previous message: Edwin Gonzalez: "Re: Hotmail security hole - injecting JavaScript using <IMG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Tue Jan 04 2000 - 21:04:47 CST