RE: XSS bug in hotmail login page

From: Thor Larholm (Thorat_private)
Date: Mon Oct 07 2002 - 08:57:24 PDT

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-023: sendmail smrsh bypass vulnerability"

Previous message: jelmer: "macromedia flash mx bypasses cookie settings"
Maybe in reply to: Peter Rdam: "XSS bug in hotmail login page"
Next in thread: Muhammad Faisal Rauf Danka: "Re: XSS bug in hotmail login page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Peter Rdam [mailto:hellat_private]
> They didnt reacted, and im pretty curious about what 
> is possible with the bug. And i actually hope that 
> someone can tell me about it and maybe Microsoft will 
> do something about it..

It's very simple, you can inject arbitrary scripting to be executed by the
user in the context of hotmail. This means that you can e.g. steal his
cookies or, if he's logged in, write emails from his account, delete his
mails and change his password.



Regards
Thor Larholm
Jubii A/S - Internet Programmer

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-023: sendmail smrsh bypass vulnerability"
Previous message: jelmer: "macromedia flash mx bypasses cookie settings"
Maybe in reply to: Peter Rdam: "XSS bug in hotmail login page"
Next in thread: Muhammad Faisal Rauf Danka: "Re: XSS bug in hotmail login page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 16:36:11 PDT