Bugtraq mailing list archives
Hotmail security vulnerability - injecting JavaScript using <STYLE> tag
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 13 Sep 1999 15:41:34 +0300
There is a major security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the <STYLE> tag. The vulnerability is present if the user uses Internet Explrer 5.0 or Netscape Communicator 4.x (though the exploit is different). Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but I am pretty sure it is also possible to read user's messages, to send messages from user's name and doing other mischief. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. It is much easier to exploit these vulnerabilities if the user uses Internet Explorer 5.0. Note: This is not a browser problem, it is Hotmail's problem. Workaround: Disable JavaScript The code that must be embeded in a HTML email message is: For IE 5.0: <P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" > For Netscape Communicator: <STYLE TYPE="text/javascript"> alert('JavaScript is executed'); a=window.open(document.links[2]); setTimeout('alert(\'The first message in your Inbox is from: \'+a.document.links[26].text)',20000); </STYLE> Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- (no subject) Mark Ultor (Sep 09)
- Re: your mail KSR[T] Contact Account (Sep 11)
- elm filter program Cornelius Krasel (Sep 12)
- Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Georgi Guninski (Sep 13)
- Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Olaf Titz (Sep 14)
- Re: Hotmail security vulnerability - injecting JavaScript using Alan Cox (Sep 15)
- Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Georgi Guninski (Sep 15)
- Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Eivind Eklund (Sep 15)
- [support_feedback () us-support external hp com: Security Bulletins Digest] Patrick Oonk (Sep 15)
- Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Georgi Guninski (Sep 13)
- Re: elm filter program Bill Pemberton (Sep 13)
- [RHSA-1999:037-01] Buffer overflow in mars_nwe Bill Nottingham (Sep 13)