Bugtraq mailing list archives
Yet another Hotmail security hole - injecting JavaScript using "jAvascript:"
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 10 Jan 2000 16:31:59 +0200
Georgi Guninski security advisory #5, 2000 Yet another Hotmail security hole - injecting JavaScript using "jAvascript:" Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using <IMG SRC="jAvascript:alert('Javascript is executed')">, which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Details: Some time ago Hotmail fixed the "javasCript" bug, but now a similar issue arrises using hexademical codes of characters. There is a security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the javascript protocol. This exploit works on Internet Explorer. Hotmail filters the "javascript:" protocol for security reasons. But it does not filter properly the following case: "jAvascript" where "A" is the hexademical ASCII code of "A". So the following HTML is executed <IMG SRC="jAvascript:alert('Javascript is executed')"> if the user has enabled automatically loading of images (most users have). Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. Workaround: Disable Active Scripting The code is: --------------------------------------------------------------- <IMG SRC="jAvascript:alert('Javascript is executed')"> --------------------------------------------------------------- Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Jarle Aase (Jan 05)
- "SANS Flash Alert For Solaris" Chok Poh (Jan 05)
- Re: SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Sir Dystic (Jan 05)
- Stack Sheild 0.7 and SFP Overwrites vendicator () USA NET (Jan 07)
- Re: SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Jarle Aase (Jan 08)
- L0pht Advisory: LPD, RH 4.x,5.x,6.x Dildog (Jan 08)
- Buffer overflow with WinAmp 2.10 Transfer Interrupted (Jan 09)
- Yet another Hotmail security hole - injecting JavaScript using "jAvascript:" Georgi Guninski (Jan 10)