Bugtraq mailing list archives
Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag
From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Wed, 15 Sep 1999 13:20:20 +0200
On Wed, Sep 15, 1999 at 10:20:26AM +0300, Georgi Guninski wrote:
Olaf Titz wrote:In article <37DCF0FE.908E4B4F () nat bg> you write:Note: This is not a browser problem, it is Hotmail's problem.It is a browser problem, at least for the Netscape version.I continue to think this is NOT a browser problem. In both Netscape and Internet Explorer the behaviour of executing JavaScript via STYLE tag is fully documented, check the documentation. The fact that Hotmail does not filter this kind of JavaScript is a Hotmail's problem.
The problem seems to be due to a breach of standard secure programming practices by Hotmail: If you are programming for security, you start by denying everything, and then allow through the things you know to be secure. This is the only way to do secure filters. If you rely on removing the bad stuff, a bug will (usually) result in dangerous items passing through, and will most likely not be discovered. If you rely on passing the good stuff (and denying everything else), a bug will (usually) result in things that are supposed to be passed being rejected; in this case, 22 million (or whatever they're up to now) screaming users would probably have told Microsoft about a too restrictive filter soon enough. Eivind.
Current thread:
- (no subject) Mark Ultor (Sep 09)
- Re: your mail KSR[T] Contact Account (Sep 11)
- elm filter program Cornelius Krasel (Sep 12)
- Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Georgi Guninski (Sep 13)
- Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Olaf Titz (Sep 14)
- Re: Hotmail security vulnerability - injecting JavaScript using Alan Cox (Sep 15)
- Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Georgi Guninski (Sep 15)
- Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag Eivind Eklund (Sep 15)
- [support_feedback () us-support external hp com: Security Bulletins Digest] Patrick Oonk (Sep 15)
- Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Georgi Guninski (Sep 13)
- Re: elm filter program Bill Pemberton (Sep 13)
- [RHSA-1999:037-01] Buffer overflow in mars_nwe Bill Nottingham (Sep 13)