Bugtraq mailing list archives
Yet another major Hotmail security hole - injecting JavaScript using "javasCript:"
From: joro () NAT BG (Georgi Guninski)
Date: Wed, 22 Sep 1999 15:48:04 +0300
Yet another major Hotmail security hole - injecting JavaScript using
"javasCript:"
There is a major security flaw in Hotmail which allows injecting and
executing
JavaScript code in an email message using the javascript protocol.
This exploit works both on Internet Explorer 5.0 (guess IE 4.x) and
Netscape Communicator 4.x.
Hotmail filters the "javascript:" protocol for security reasons. But it
does not filter properly
the following case: "javasCript:" where "C" is the ASCII code of
"C".
So the following HTML is executed <IMG
SRC="javasCript:alert('JavaScript is executed');"> if the user has
enabled automatically loading of images (most users have).
Probably this may be used in other HTML tags.
Executing JavaScript when the user opens Hotmail email message allows
for example
displaying a fake login screen where the user enters his password which
is then stolen.
I don't want to make a scary demonstration, but I am sure it is also
possible to read user's
messages, to send messages from user's name and doing other mischief.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.
It is much easier to exploit this vulnerability if the user uses
Internet Explorer 5.0.
AFAIK this is not a browser problem, it is Hotmail's problem.
Workaround: Disable JavaScript
The code is:
<IMG SRC="javasCript:alert('JavaScript is
executed');a=window.open(document.links[2]);setTimeout('alert(\'The
first message in your Inbox is from :
\'+a.document.links[26].text)',20000)">
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Regards,
Georgi Guninski
http://www.nat.bg/~joro
Current thread:
- NAI Security Advisory - Windows IP source routing Security Research Labs (Sep 20)
- Re: NAI Security Advisory - Windows IP source routing Holger Heimann (Sep 21)
- Update to ODBC/RDS vulnerabilities rfp () WIRETRIP NET (Sep 21)
- Re: NAI Security Advisory - Windows IP source routing Ronan Waide (Sep 22)
- Yet another major Hotmail security hole - injecting JavaScript using "javasCript:" Georgi Guninski (Sep 22)
- <Possible follow-ups>
- Re: NAI Security Advisory - Windows IP source routing Eric D. Williams (Sep 22)
- Re: NAI Security Advisory - Windows IP source routing Holger Heimann (Sep 21)