- Original Message -
From: "Russell Harding" <[EMAIL PROTECTED]>
To: "Thor Larholm" <[EMAIL PROTECTED]>
Sent: Tuesday, October 08, 2002 12:20 PM
Subject: RE: XSS bug in hotmail login page
> Hello, comments below:
>
> On Mon, 7 Oct 2002, Thor Larh
Hello, comments below:
On Mon, 7 Oct 2002, Thor Larholm wrote:
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails
l Rauf Danka" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 08, 2002 14:11
Subject: Re: XSS bug in hotmail login page
> A lot can happen for sure, but i tried one myself, to redirect the request
to some other webpage.
> One can make a fake hotmail pag
A lot can happen for sure, but i tried one myself, to redirect the request to some
other webpage.
One can make a fake hotmail page asking for password storing it locally in a text file
and then again redirect to the original hotmail page.
Usint this method one could steal passwords of hotmail/MS
> From: Russell Harding [mailto:[EMAIL PROTECTED]]
> Is there another way to exploit this which I am not
> seeing? Or does MSN actually have their act together
> (in this particular case...)?
>
> -Russell
>
> P.S. Well, I suppose the real question may be this:
> Is there a way to concate
> From: Peter Rdam [mailto:[EMAIL PROTECTED]]
> They didnt reacted, and im pretty curious about what
> is possible with the bug. And i actually hope that
> someone can tell me about it and maybe Microsoft will
> do something about it..
It's very simple, you can inject arbitrary scripting to be
