Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: gbowland () TARTARUS UWA EDU AU (Grahame Bowland)
Date: Thu, 6 Jan 2000 14:03:58 +0800
On Jan 05, Metal Hurlant scrawled :
Due to the open nature of HTML it is impossible to know all attributes which may contain URLs. And I thinks it is safe to assume that all attribute values may be contain URLs... I can't come up with a practical HTML application where the attribute value "javascript:<something>" makes much sense other than when refering to javascript code to be executed.Things are a bit more complicated than that: - javascript code can be placed in a growing number of optional tag parameters (like onmouseover, onload, etc..). The only way to block those is to keep an extensive and up-to-date list of every possible parameter allowing to run a script. - Netscape supports something called javascript style sheets, allowing to embed javascript between <style> tags - Netscape recognizes mocha: and livescript: urls and treats them like javascript: urls I'm sure IE has its own share of incompatible and not widely known ways to run scripts. Everyone thinks Javascript is cool (except maybe some weird security folks), so each new browser version is very likely to have a few new ways to do more cool things in javascript..
I think this a backwards approach to the problem. Why not implement a filtering program that denies all attributes to HTML tags that are not in a master list, and then filter those attributes according to their specified behaviour? HTML email shouldn't require the more esoteric attributes provided by MSIE and Netscape. This could at least be implemented as an "additional security" feature. Just an idea :) Grahame Bowland
Current thread:
- Re: Anyone can take over virtually any domain on the net..., (continued)
- Re: Anyone can take over virtually any domain on the net... Jeffrey Paul (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Chris Adams (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Shafik Yaghmour (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Nick Lamb (Jan 15)
- Re: Anyone can take over virtually any domain on the net... Kurt Seifried (Jan 13)
- Blinding BIND to a moving domain D. J. Bernstein (Jan 12)
- Re: Blinding BIND to a moving domain Ken Gourlay (Jan 12)
- CyberCash MCK 3.2.0.4: Large /tmp hole Sheldon Young (Jan 12)
- Administrivia: ORBS Elias Levy (Jan 12)
- WebSitePro/2.3.18 is revealing Webdirectories Lark Lizerman (Jan 12)
- Re: Hotmail security hole - injecting JavaScript using <IMG Grahame Bowland (Jan 05)
- Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)" Georgi Guninski (Jan 06)
- Security Bulletins Digest Aleph One (Jan 06)
- Re: Hotmail security hole - injecting JavaScript using <IMG Dustin Miller (Jan 05)