Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag

From: olaf () BIGRED INKA DE (Olaf Titz)
Date: Tue, 14 Sep 1999 10:57:25 +0300

In article <37DCF0FE.908E4B4F () nat bg> you write:

Note: This is not a browser problem, it is Hotmail's problem.


It is a browser problem, at least for the Netscape version.


<P STYLE="left:expression(eval('alert(\'JavaScript is
executed\');window.close()'))" >


One could argue that styles can be computed via Javascript...


<STYLE TYPE="text/javascript">


...but that is ridiculous. The browser should simply ignore a
stylesheet of an unknown type, there is a reason for the type
parameter after all. (Unless it is a deliberate feature that you can
substitute STYLE for SCRIPT, which I somehow doubt.)

This is not only a problem for Hotmail but for all sorts of proxies
which filter Javascript for security reasons. Since there is at least
one recent version of both NC and IE which _doesn't_ let you disable
Javascript at all due to bugs, such filtering is an absolute
necessity, but you need to know where in the data stream it can
appear.

Btw. the example given for IE is a classic example of what is so wrong
with Javascript: you can do anything with it - including e.g. trivial
stealing of passwords by popping up fake login dialogs - _even if it
doesn't make sense in the context_. This alone is a reason to
completely block and disable it.

Olaf
Previous By Date Next
Previous By Thread Next

Current thread: