Re: Yet another Hotmail security hole - injecting JavaScript in

[JKing () GFPGROUP COM (Justin King)]

This is expected behavior.

JavaScript can be inserted almost anywhere, and this is a good thing. As
Henrik Nordstrom pointed out earlier, JavaScript might be used in this
particular instance to calculate the URL of the image tag.

The point of JavaScript is to add interactive functionality to all the HTML
objects. Browsers recognize this, web developers do not.

What "would be nice", is if someone would publish an algorithm that, to
current standard specs, removes all non-permitted HTML tags, any
non-permitted attributes to those tags, and any JavaScript.

Any takers?

 -----Original Message-----
From:   Nick FitzGerald [mailto:nick () VIRUS-L DEMON CO UK]
Sent:   Tuesday, January 04, 2000 10:59 PM
To:     BUGTRAQ () SECURITYFOCUS COM
Subject:        Re: Yet another Hotmail security hole - injecting JavaScript
in

> Georgi Guninski security advisory #2, 2000
>
> Yet another Hotmail security hole - injecting JavaScript in IE using
> <IMG DYNRC="javascript:....">
<<snip>>

It would be nice to think that while fixing the previous hole
(<IMG LOWSRC="javascript:....">), one or two of the MS/Hotmail
security staff might have wondered "What other parameters on this and
other tags may be similarly exploitable?".

Yeah, right...

I note that no browser fixes have been notified/posted yet, or is
this a Hotmail-only hole (i.e. "expected behaviour" in the browser)?

Regards,

Nick FitzGerald