[11914] in bugtraq
Re: Hotmail security vulnerability - injecting JavaScript using
daemon@ATHENA.MIT.EDU (Alan Cox)
Wed Sep 15 13:41:48 1999
Content-Type: text
Message-Id: <E11RDqv-0001TZ-00@the-village.bc.nu>
Date: Wed, 15 Sep 1999 13:07:55 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: olaf@BIGRED.INKA.DE
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E11QoOz-0000Ko-00@g212.hadiko.de> from "Olaf Titz" at Sep 14,
99 10:57:25 am
> Btw. the example given for IE is a classic example of what is so wrong
> with Javascript: you can do anything with it - including e.g. trivial
> stealing of passwords by popping up fake login dialogs - _even if it
> doesn't make sense in the context_. This alone is a reason to
> completely block and disable it.
In this paticular case its a beautiful example of how not to configure
a web based email system. Javascript does have a sense of security domains
and nowdays it even seems to work right (see old stuff with the one line frame
snooping on the rest)
Untrusted content should be served in a different security domain to the
main system. If hotmail handed out its own admin stuff from hotmail.com and
the message contents from ifyoutrustthisyouarecrazy.com, things would be a lot
safer. I concur however for many of us - not safe enough.
Alan
