Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hotmail security vulnerability - injecting JavaScript using<STYLE> tag

From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Wed, 15 Sep 1999 13:20:20 +0200

On Wed, Sep 15, 1999 at 10:20:26AM +0300, Georgi Guninski wrote:

Olaf Titz wrote:


In article <37DCF0FE.908E4B4F () nat bg> you write:

Note: This is not a browser problem, it is Hotmail's problem.


It is a browser problem, at least for the Netscape version.


I continue to think this is NOT a browser problem. In both Netscape and
Internet Explorer the behaviour of executing JavaScript via STYLE tag is
fully documented, check the documentation. The fact that Hotmail does
not filter this kind of JavaScript is a Hotmail's problem.


The problem seems to be due to a breach of standard secure programming
practices by Hotmail:

If you are programming for security, you start by denying everything, and
then allow through the things you know to be secure.

This is the only way to do secure filters.  If you rely on removing the bad
stuff, a bug will (usually) result in dangerous items passing through, and
will most likely not be discovered.  If you rely on passing the good stuff
(and denying everything else), a bug will (usually) result in things that
are supposed to be passed being rejected; in this case, 22 million (or
whatever they're up to now) screaming users would probably have told
Microsoft about a too restrictive filter soon enough.

Eivind.
Previous By Date Next
Previous By Thread Next

Current thread: