Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC=&quot;javascript:....&quot;>

[phiphi () BGNET BG (Philip Stoev)]

This is not exactly the case.

Hotmail says you do not have JavaScript because you do not have a 'js'
hidden form field set to some value ('yes') by a small JavaScript on
Hotmail's front-door login form. A simple script written in ELZA
(http://phiphi.hypermart.net) will set this one to the correct value and be
able to do anything within Hotmail, without being a JavaScripting host on
its own. If you want to disable JavaScript and still use Hotmail, download
The ELZA and create your own login form that will work without JavaScript.

AFAK Hotmail uses JavaScript for the "Select All Messages" check box and
for the Address Book. Both have nothing to do with authentication.

Philip

> this is a good security hint - but no workaround for hotmail users.
hotmail
> (perhaps only the MS passport service) needs javascript - without it you
> only get the following message:
>
> Sign In Access Error
> JavaScript required. The browser that you are using does not support
> JavaScript, or you may have
> disabled JavaScript.