[11971] in bugtraq
Re: Yet another major Hotmail security hole - injecting
daemon@ATHENA.MIT.EDU (Brian Hampson)
Thu Sep 23 18:08:58 1999
Message-Id: <199909232034.NAA16957@asl.ca>
Date: Thu, 23 Sep 1999 13:31:16 -0700
Reply-To: Brian Hampson <brian@ASL.CA>
From: Brian Hampson <brian@ASL.CA>
X-To: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <005101bf052d$a2735d80$0100a8c0@dell>
When we last heard from you, the following words rang out across the 'Net:
>I tested your script on my own Hotmail account, but the execution of the
>Javascript failed. I'm using Netscape Communicator 4.05.
>I also tested the same script using Internet Explorer 4.0 build 4.72.3110.4
>SP1, it didn't execute in IE.
The Javascript alert works in IE5. I don't think the "first message in your
mailbox part" does though.
I had cobbled together a very basic HTML message consisting of:
<HTML><BODY>
-YOUR FAVOURITE CODE HERE INCLUDING ASCII replacement for javascript-
</BODY></HTML>
I can't see that Hotmail will ever be able to block javascript if this is the
case...think..you could replace any letter, or any combination of letters.
Major coding hassle.
--
Brian P. Hampson ASL Analytical Service Laboratories Ltd
System Administrator, Vancouver, BC (604)253-4188
----------------- http://www.ASL.CA/ ----------------------------
Speaking for myself, not ASL
