hi, In his post to bugtraq, Ben Li spoke about a bug in most of next generation browsers that deal with css and a broken image that leads to a general html links corruption. A similar problem exist with css used inside a web base mail server with this time a plain image but no link needed. It's possible to generate some mail trojans that will recover user personal information like passwords. It's no longer a bug in the browsers, but in the implementation of servers html filters. i did some test with hotmail and msie 4/5 (NT) and it work really fine. (did not try netscape) In fact we have here a very serious hole . It was possible (at least with hotmail) to use a background layer with a full blank picture to erase all the browser screen ( hotmail desktop) and by using another top layer with a slightly modified password requester it would be easy to fool most people around here. a simple 'img href' to an outside 1x1 white pixel picture expanded to 1280x768 is ok for the background layer and will clean everything. Since the new frame appear over the first one and not in a new window like in the usual way, the Microsoft top frame warning that user is going outside hotmail will no longer exist. So, from the user side, just after clicking on his mail to read it, the screen will show him what he would trust to be the hotmail relogin page. (session timeout). The URL inside the browser is still hotmail so he has no really obvious reason to worry except if he took the same login page 2 minutes just before. The relogin page, embedded in the mail inside the top layer, won't be really the same as the original one, the form field may be changed with an unsecure http connection and a GET method while pointing to the attacker web server. Then, the password in his web server logs, the attacker may finaly redirect the victim to the real page. Conclusion: Micro$oft should reconsider the seriousness of this threat ( $ feature $ ) by blocking css and may be layers too. below, "only some skulls" of a mail exploit: copyrighted material was needed. == horsemail.com == <div align="left"> <div id="layer1" style="width:99px; height:99px; position:absolute; left:0px; top:0px; z-index:0;"> <!-- First Layer, a big blank screen to hide Hotmail desk --> <div id="layer2" style="position:absolute; left:140; top:100; z-index:0;"> <!-- Layer 2, will show up text, pics, form --> <!-- Here the new hotmail login.html that point to our web server Need Microsoft login page with all copyrighted logos, banners ... --> </div> </div> Have a nice day, ================= Gregory Duchemin NEUROCOM CANADA 1001 bd Maisonneuve Ouest - suite 200 Montreal(Quebec) H3A 3C8 CANADA [EMAIL PROTECTED] ;) _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.