hii ol
hotmail is open again
so try ya hand out if ya know some javscript
-pankaj
--------
Details:
There is a major security flaw in Hotmail which allows
injecting and
executing JavaScript code in an email message using
the javascript protocol.
This exploit works both on Internet Explorer 5.x
(almost sure IE 4.x) and
Netscape Communicator 4.x. Hotmail filters the
"javascript:" protocol for
security reasons. But the following JavaScript is
executed: <IMG
LOWSRC="javascript:alert('Javascript is executed')">
if the user has enabled
automatically loading of images (most users have).
Executing JavaScript when the user opens Hotmail email
message allows for
example displaying a fake login screen where the user
enters his password
which is then stolen. I don't want to make a scary
demonstration, but it is
also possible to read user's messages, to send
messages from user's name and
doing other mischief. It is also possible to get the
cookie from Hotmail,
which is dangerous. Hotmail deliberately escapes all
JavaScript (it can
escape) to prevent such attacks, but obviously there
are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.x
Workaround: Disable JavaScript
The code that must be included in HTML email message
is:
--------------------------------------------------------
<IMG LOWSRC="javascript:alert('Javascript is
executed')">
--------------------------------------------------------Regards,Georgi
Guninski
http://www.nat.bg/~joro
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
The mailing list archives are available at
http://lists.linux-india.org/cgi-bin/wilma/linux-delhi/
