Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: dmiller () WFDEVELOPMENT COM (Dustin Miller)
Date: Wed, 5 Jan 2000 13:34:32 -0600
This approach would be ideal if it weren't for the fact that any browser that didn't understand the "blockscript" tag would patently ignore it, and its intended function would be lost. Dustin Miller, President WebFusion Development Incorporated http://www.wfdevelopment.com -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Metal Hurlant Sent: Wednesday, January 05, 2000 4:38 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Hotmail security hole - injecting JavaScript using <IMG On Tue, 04 Jan 2000, Kevin Hecht wrote:
While Hotmail obviously has a filtering hole, should the browser manufacturers be on the hook here as well, given that javascript: URLs probably shouldn't be rendered at all by the <IMG> tag? While a JavaScript script may load an image on its own, I don't see why the script itself should be loaded and parsed from an <IMG> tag.
Netscape actually tries to parse the value returned by the script, so if your script returns, for example, a valid XPM string, you'll get that image displayed. What could be useful would be a tag working like <blockscript key=randompieceofdata> </blockscript key=samepieceofdata> anything between these tags would still get parsed as HTML, but with no script hook working. That way, filtering scripts out of untrusted HTML would become the browser manufacturers responbility, and things would be a lot easier for everyone else. Just dreaming, Henri Torgemane
Current thread:
- Re: Anyone can take over virtually any domain on the net..., (continued)
- Re: Anyone can take over virtually any domain on the net... Kurt Seifried (Jan 13)
- Blinding BIND to a moving domain D. J. Bernstein (Jan 12)
- Re: Blinding BIND to a moving domain Ken Gourlay (Jan 12)
- CyberCash MCK 3.2.0.4: Large /tmp hole Sheldon Young (Jan 12)
- Administrivia: ORBS Elias Levy (Jan 12)
- WebSitePro/2.3.18 is revealing Webdirectories Lark Lizerman (Jan 12)
- Re: Hotmail security hole - injecting JavaScript using <IMG Grahame Bowland (Jan 05)
- Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)" Georgi Guninski (Jan 06)
- Security Bulletins Digest Aleph One (Jan 06)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Dustin Miller (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Edwin Gonzalez (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG ck () RIB DE (Jan 07)