[27336] in bugtraq
RE: XSS bug in hotmail login page
daemon@ATHENA.MIT.EDU (Thor Larholm)
Mon Oct 7 19:36:57 2002
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB03470DED@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'Peter Rdam'" <hell@weedmail.com>, bugtraq@securityfocus.com
Date: Mon, 7 Oct 2002 17:57:24 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
> From: Peter Rdam [mailto:hell@weedmail.com]
> They didnt reacted, and im pretty curious about what
> is possible with the bug. And i actually hope that
> someone can tell me about it and maybe Microsoft will
> do something about it..
It's very simple, you can inject arbitrary scripting to be executed by the
user in the context of hotmail. This means that you can e.g. steal his
cookies or, if he's logged in, write emails from his account, delete his
mails and change his password.
Regards
Thor Larholm
Jubii A/S - Internet Programmer
