Bugtraq mailing list archives
Re: Yet another major Hotmail security hole - injecting JavaScript using "javasCript:"
From: brian () ASL CA (Brian Hampson)
Date: Thu, 23 Sep 1999 13:31:16 -0700
When we last heard from you, the following words rang out across the 'Net:
I tested your script on my own Hotmail account, but the execution of the Javascript failed. I'm using Netscape Communicator 4.05.
I also tested the same script using Internet Explorer 4.0 build 4.72.3110.4 SP1, it didn't execute in IE.
The Javascript alert works in IE5. I don't think the "first message in your mailbox part" does though. I had cobbled together a very basic HTML message consisting of: <HTML><BODY> -YOUR FAVOURITE CODE HERE INCLUDING ASCII replacement for javascript- </BODY></HTML> I can't see that Hotmail will ever be able to block javascript if this is the case...think..you could replace any letter, or any combination of letters. Major coding hassle. -- Brian P. Hampson ASL Analytical Service Laboratories Ltd System Administrator, Vancouver, BC (604)253-4188 ----------------- http://www.ASL.CA/ ---------------------------- Speaking for myself, not ASL
Current thread:
- SV: Yet another major Hotmail security hole - injecting JavaScript using "javasCript:" Jonathan James (Sep 22)
- solaris DoS David Brumley (Sep 22)
- Re: Yet another major Hotmail security hole - injecting JavaScript using "javasCript:" Brian Hampson (Sep 23)