Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript using <IMG
From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Wed, 5 Jan 2000 01:25:02 +0100
Kevin Hecht wrote:
While Hotmail obviously has a filtering hole, should the browser manufacturers be on the hook here as well, given that javascript: URLs probably shouldn't be rendered at all by the <IMG> tag?
JavaScript can be used to calculate the URL to open in a IMG tag. <IMG SRC="&{find_image_to_open()};"> n What is more suprising is why it is so hard to make a JavaScript scrubber filter. The ways javascript may be inserted in HTML is generic, and not tied to any specific tag or attributes. (see Netscape JavaScript client guide, chapter 9) <script> </script> <tag attribute="&{javascript_code};"> <tag url_attribute="javascript:javascript_code"> Due to the open nature of HTML it is impossible to know all attributes which may contain URLs. And I thinks it is safe to assume that all attribute values may be contain URLs... I can't come up with a practical HTML application where the attribute value "javascript:<something>" makes much sense other than when refering to javascript code to be executed. -- Henrik Nordstrom
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG Kevin Hecht (Jan 03)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Henrik Nordstrom (Jan 04)