Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:....">
From: phiphi () BGNET BG (Philip Stoev)
Date: Wed, 5 Jan 2000 00:29:10 +0200
This is not exactly the case. Hotmail says you do not have JavaScript because you do not have a 'js' hidden form field set to some value ('yes') by a small JavaScript on Hotmail's front-door login form. A simple script written in ELZA (http://phiphi.hypermart.net) will set this one to the correct value and be able to do anything within Hotmail, without being a JavaScripting host on its own. If you want to disable JavaScript and still use Hotmail, download The ELZA and create your own login form that will work without JavaScript. AFAK Hotmail uses JavaScript for the "Select All Messages" check box and for the Address Book. Both have nothing to do with authentication. Philip
this is a good security hint - but no workaround for hotmail users.
hotmail
(perhaps only the MS passport service) needs javascript - without it you only get the following message: Sign In Access Error JavaScript required. The browser that you are using does not support JavaScript, or you may have disabled JavaScript.
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:...."> Philip Stoev (Jan 04)