Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG LOWSR C="javascript:....">
From: secure () MICROSOFT COM (Microsoft Product Security Response Team)
Date: Mon, 3 Jan 2000 18:41:54 -0800
Hi All - Wanted to let you know that we have developed a fix that eliminates this vulnerability, and have deployed it to all Hotmail servers. We're very sorry for any inconvenience this may have caused. Regards, Secure () microsoft com -----Original Message----- From: Georgi Guninski [mailto:joro () NAT BG] Sent: Monday, January 03, 2000 5:40 AM To: win2ksecadvice () LISTSERV NTSECURITY NET Subject: Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:...."> Georgi Guninski security advisory #1, 2000 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:...."> Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using <IMG LOWSRC="javascript:....">, which may compromise user's Hotmail mailbox. Details: There is a major security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the javascript protocol. This exploit works both on Internet Explorer 5.x (almost sure IE 4.x) and Netscape Communicator 4.x. Hotmail filters the "javascript:" protocol for security reasons. But the following JavaScript is executed: <IMG LOWSRC="javascript:alert('Javascript is executed')"> if the user has enabled automatically loading of images (most users have). Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. It is much easier to exploit this vulnerability if the user uses Internet Explorer 5.x Workaround: Disable JavaScript The code that must be included in HTML email message is: -------------------------------------------------------- <IMG LOWSRC="javascript:alert('Javascript is executed')"> -------------------------------------------------------- Regards, Georgi Guninski http://www.nat.bg/~joro _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv () listserv ntsecurity net <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG LOWSR C="javascript:...."> Microsoft Product Security Response Team (Jan 03)