Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)

From: FozZy <fozzy () dmpfrance com>
Date: Fri, 19 Jul 2002 00:12:24 +0200
Here's another one for you FozZY:


thx ! No time for testing it since i am going on holidays, but surely it can be used again most webmails, in this 
commercial world where companies do not care about their users' privacy...

I'd just like to show here why filters should be designed very carefully:
The netscape webmail (and maybe aol's one if it is the same engine, can someone test it ?) has a very aggressive 
filter. And weird. It seems to try to delete anything that does not fit its need, but in a kind of strange way, not 
easy to understand. However, it can be bypassed, by experimenting the output of the filter with different inputs and 
trying to understand its logic. When you understand the way the filter works, you can bypass it easily. 
So, if you design a filter, you should really think about the logic of your filter, and try to make it mathematically 
correct. If not, the cracker will find the flaws in your logic, and use them to bypass the filter.

As an example, here is a nsmail exploit that used to fire javascript a couple of month ago (dunno if they changed 
anything since that time, they could have cut off all html since the frog-frog advisory, would be a good idea):
<img <img src="j&#X41vascr&#x49pt:alert(document.cookie)">

Really simple, only known stuff, the trick here is to use two img tags and let the flawed filter delete one of them for 
you ! So the output after the work of the filter become :
<img src="j&#X41vascr&#x49pt:alert(document.cookie)">

That fires a javascript. If I had put directly this line into an email, it would have been deleted by the filter. The 
two img tags are needed to exploit this bad-designed filter.

Conclusion: there are two ways to bypass a javascript-filter. The http-equiv approach: using a new way to trigger 
javascript on some current browsers, with unfiltered html tags. And the usual approach in security audits: trying to 
find flaws into the design of the software (here, the filter).
What is a secure design ? It's a mathematically proved one. With filter rules, it can be done. But let me go on 
holidays for now ;)

FozZy
Hackademy & Hackerz Voice Director
Previous By Date Next
Previous By Thread Next

Current thread: