|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Hotmail security hole - injecting JavaScript using <IMGLOWSRC="javascript:....">
Subject: Re: Hotmail security hole - injecting JavaScript using
Also as a note, Netscape Messenger 4.x does execute the same code in its
The main difference between these problems, is the mail client does allow
On a side note, I notice USA.net (another web based interface) used a work
Kit Skinner
Georgi Guninski wrote:
> Georgi Guninski security advisory #1, 2000
_____________________________________________________________________
This archive was generated by hypermail 2b27
: Tue Jan 04 2000 - 08:02:59 CST
From: Kit (smallfoxx
MINDLESS.COM)
Date: Tue Jan 04 2000 - 00:15:27 CST
e-mail messages but does allow you to disable the option. The choice can be
found under Edit\Preferences\Advanced and the check box is titled enable
JavaScript for Mail and News.
you to differentiate because you are receive the messages in a different
context then Web Pages; however, Hotmail is just another web page to the
browser.
around in that if it receives a message like that it changes the
"javascript" to "zavascript" preventing the browser from executing it as a
command. Cute and hokey but effective.
>
> Hotmail security hole - injecting JavaScript using <IMG
> LOWSRC="javascript:....">
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> Hotmail allows executing JavaScript code in email messages using <IMG
> LOWSRC="javascript:....">,
> which may compromise user's Hotmail mailbox.
>
> Details:
> There is a major security flaw in Hotmail which allows injecting and
> executing JavaScript code in an email message using the javascript
> protocol.
> This exploit works both on Internet Explorer 5.x (almost sure IE 4.x)
> and Netscape Communicator 4.x.
> Hotmail filters the "javascript:" protocol for security reasons.
> But the following JavaScript is executed: <IMG
> LOWSRC="javascript:alert('Javascript is executed')"> if the user has
> enabled automatically loading of images (most users have).
>
> Executing JavaScript when the user opens Hotmail email message allows
> for example
> displaying a fake login screen where the user enters his password which
> is then stolen.
> I don't want to make a scary demonstration, but it is also possible to
> read user's
> messages, to send messages from user's name and doing other mischief.
> It is also possible to get the cookie from Hotmail, which is dangerous.
> Hotmail deliberately escapes all JavaScript (it can escape) to prevent
> such attacks, but obviously there are holes.
> It is much easier to exploit this vulnerability if the user uses
> Internet Explorer 5.x
>
> Workaround: Disable JavaScript
>
> The code that must be included in HTML email message is:
> --------------------------------------------------------
> <IMG LOWSRC="javascript:alert('Javascript is executed')">
> --------------------------------------------------------
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net