Bugtraq mailing list archives

Re: Hotmail security hole - injecting JavaScript using <IMG

From: ck () RIB DE (ck () RIB DE)
Date: Fri, 7 Jan 2000 10:58:58 +0100


On Wed, 5 Jan 2000 11:37:49 +0100, Henri Torgemane wrote:

What could be useful would be a tag working like
<blockscript key=randompieceofdata>

</blockscript key=samepieceofdata>

This would just try to fix one of the symptoms. Something more
fundamentally
is wrong: Data and executable code do not belong together. Violation of
this brought us macro viruses, HTML e-mail that steals passwords, trojans,
etc.

Carsten Kuckuk (only speaking for himself)

Current thread:

Re: Blinding BIND to a moving domain, (continued)
- - - Re: Blinding BIND to a moving domain Ken Gourlay (Jan 12)
    - CyberCash MCK 3.2.0.4: Large /tmp hole Sheldon Young (Jan 12)
    - Administrivia: ORBS Elias Levy (Jan 12)
    - WebSitePro/2.3.18 is revealing Webdirectories Lark Lizerman (Jan 12)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Grahame Bowland (Jan 05)
  - Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)" Georgi Guninski (Jan 06)
  - Security Bulletins Digest Aleph One (Jan 06)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
  - Re: Hotmail security hole - injecting JavaScript using <IMG Dustin Miller (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Edwin Gonzalez (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG ck () RIB DE (Jan 07)