[13216] in bugtraq
Re: Hotmail security hole - injecting JavaScript using
daemon@ATHENA.MIT.EDU (Philip Stoev)
Tue Jan 4 21:30:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: <200001050028.AAA28123@bgnet.bg>
Date: Wed, 5 Jan 2000 00:29:10 +0200
Reply-To: philip_stoev@iname.com
From: Philip Stoev <phiphi@BGNET.BG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is not exactly the case.
Hotmail says you do not have JavaScript because you do not have a 'js'
hidden form field set to some value ('yes') by a small JavaScript on
Hotmail's front-door login form. A simple script written in ELZA
(http://phiphi.hypermart.net) will set this one to the correct value and be
able to do anything within Hotmail, without being a JavaScripting host on
its own. If you want to disable JavaScript and still use Hotmail, download
The ELZA and create your own login form that will work without JavaScript.
AFAK Hotmail uses JavaScript for the "Select All Messages" check box and
for the Address Book. Both have nothing to do with authentication.
Philip
> this is a good security hint - but no workaround for hotmail users.
hotmail
> (perhaps only the MS passport service) needs javascript - without it you
> only get the following message:
>
> Sign In Access Error
> JavaScript required. The browser that you are using does not support
> JavaScript, or you may have
> disabled JavaScript.
