Re: Yet another major Hotmail security hole - injecting JavaScript using "javas&#67ript:"

[brian () ASL CA (Brian Hampson)]

When we last heard from you, the following words rang out across the 'Net:

> I tested your script on my own Hotmail account, but the execution of the
> Javascript failed. I'm using Netscape Communicator 4.05.

> I also tested the same script using Internet Explorer 4.0 build 4.72.3110.4
> SP1, it didn't execute in IE.

The Javascript alert works in IE5.  I don't think the "first message in your
mailbox part" does though.

I had cobbled together a very basic HTML message consisting of:

<HTML><BODY>

-YOUR FAVOURITE CODE HERE INCLUDING ASCII replacement for javascript-

</BODY></HTML>

I can't see that Hotmail will ever be able to block javascript if this is the
case...think..you could replace any letter, or any combination of letters.
Major coding hassle.

--

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
     ----------------- http://www.ASL.CA/ ----------------------------

Speaking for myself, not ASL