Bugtraq mailing list archives
Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)"
From: joro () NAT BG (Georgi Guninski)
Date: Thu, 6 Jan 2000 16:39:02 +0200
Georgi Guninski security advisory #3, 2000 Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)" Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using "@import url(javascript:...)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Details: There is a security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the javascript protocol. This exploit works on Internet Explorer. Hotmail filters the "javascript:" protocol for security reasons. But the following JavaScript is executed: "@import url(javascript:...)". Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. Workaround: Disable Active Scripting The code that must be included in HTML email message is: -------------------------------------------------------- <style TYPE="text/css"> @import url(javascript:alert('Javascript is executed')); </style> -------------------------------------------------------- Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Re: Anyone can take over virtually any domain on the net..., (continued)
- Re: Anyone can take over virtually any domain on the net... Chris Adams (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Shafik Yaghmour (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Nick Lamb (Jan 15)
- Re: Anyone can take over virtually any domain on the net... Kurt Seifried (Jan 13)
- Blinding BIND to a moving domain D. J. Bernstein (Jan 12)
- Re: Blinding BIND to a moving domain Ken Gourlay (Jan 12)
- CyberCash MCK 3.2.0.4: Large /tmp hole Sheldon Young (Jan 12)
- Administrivia: ORBS Elias Levy (Jan 12)
- WebSitePro/2.3.18 is revealing Webdirectories Lark Lizerman (Jan 12)
- Re: Hotmail security hole - injecting JavaScript using <IMG Grahame Bowland (Jan 05)
- Yet another Hotmail security hole - injecting JavaScript in IE using "@import url(javascript:...)" Georgi Guninski (Jan 06)
- Security Bulletins Digest Aleph One (Jan 06)
- Re: Hotmail security hole - injecting JavaScript using <IMG Dustin Miller (Jan 05)