Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag

[metal_hurlant () YAHOO COM (Metal Hurlant)]

Since this is now public, I can as well add the following two ways to
the list:

NS4.x. javascript entities:
<anytag anyparam=&{alert("this will run too")}; >

NS4.x. mocha: urls:
<img src=mocha:"alert('this will run as well')" width=1 height=1>

I contacted MS on 08/10/99 about these and the style issue in NS4.x
According to the Development Manager for MSN/Hotmail: "We will fix
these in our next release, which should go live in late September. "

This is actually more than just another hotmail glitch. Many (all?) web
services are doing things wrong:

- Cookies can get stolen through CGI scripts inserting without (enough)
checks their input in the HTML they generate, thus allowing scripts to
run. Stealing cookies is only an example here. Once you run a script on
the same domain as the targeted web service, that script can do
anything the user himself can do (except the script doesn't know what
the user knows, like the user's password.)
Disabling scripts can help, if the web service allows you to do so.
The fix is obvious, but time-consuming: Every single server script must
be verified and patched to prevent html tags to go unfiltered. As long
as their is one script left unchecked, the web service isn't safe.

- Keyed URLs can be found by using the referrer field: try to insert a
link in a mail message. watch the document.referrer property you obtain
this way.
A possible fix could be to load a temporary page when the user click on
a mail link. That temporary page would then load the linked page. This
would set the referrer field to the URL of the temporary page, which
doesn't need to contain any key.

I don't believe any of this is new. It has been known for quite some
time. Yet, judging by the number of web services leaving their users
unprotected, it can't hurt to be said again.

Regards,
Henri Torgemane

--- Georgi Guninski <joro () NAT BG> wrote:
> There is a major security flaw in Hotmail which allows injecting and
> executing
> JavaScript code in an email message using the <STYLE> tag.
> The vulnerability is present if the user uses Internet Explrer 5.0 or
> Netscape Communicator 4.x (though the exploit is different).
> Executing JavaScript when the user opens Hotmail email message allows
> for example
> displaying a fake login screen where the user enters his password
> which
> is then stolen.
> I don't want to make a scary demonstration, but I am pretty sure it
> is
> also possible to read user's messages, to send messages from user's
> name
> and doing other mischief.
> Hotmail deliberately escapes all JavaScript (it can escape) to
> prevent
> such attacks, but obviously there are holes.
> It is much easier to exploit these vulnerabilities if the user uses
> Internet Explorer 5.0.
> Note: This is not a browser problem, it is Hotmail's problem.
>
> Workaround: Disable JavaScript
>
> The code that must be embeded in a HTML email message is:
> For IE 5.0:
>
> <P STYLE="left:expression(eval('alert(\'JavaScript is
> executed\');window.close()'))" >
>
> For Netscape Communicator:
>
> <STYLE TYPE="text/javascript">
> alert('JavaScript is executed');
> a=window.open(document.links[2]);
> setTimeout('alert(\'The first message in your Inbox is from:
> \'+a.document.links[26].text)',20000);
> </STYLE>
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and
> not
> of any company.
> The usual standard disclaimer applies, especially the fact that
> Georgi
> Guninski
> is not liable for any damages caused by direct or  indirect use of
> the
> information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of
> this
> program or any derivatives thereof.
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com