This is a multi-part message in MIME format. ------=_NextPart_000_00A1_01BF561A.34051530 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Hi All - Wanted to let you know that we have developed a fix that eliminates this vulnerability, and have deployed it to all Hotmail servers. We're very sorry for any inconvenience this may have caused. Regards, Secureat_private -----Original Message----- From: Georgi Guninski [mailto:joroat_private] Sent: Monday, January 03, 2000 5:40 AM To: win2ksecadviceat_private Subject: Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:...."> Georgi Guninski security advisory #1, 2000 Hotmail security hole - injecting JavaScript using <IMG LOWSRC="javascript:...."> Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Hotmail allows executing JavaScript code in email messages using <IMG LOWSRC="javascript:....">, which may compromise user's Hotmail mailbox. Details: There is a major security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the javascript protocol. This exploit works both on Internet Explorer 5.x (almost sure IE 4.x) and Netscape Communicator 4.x. Hotmail filters the "javascript:" protocol for security reasons. But the following JavaScript is executed: <IMG LOWSRC="javascript:alert('Javascript is executed')"> if the user has enabled automatically loading of images (most users have). Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but it is also possible to read user's messages, to send messages from user's name and doing other mischief. It is also possible to get the cookie from Hotmail, which is dangerous. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. It is much easier to exploit this vulnerability if the user uses Internet Explorer 5.x Workaround: Disable JavaScript The code that must be included in HTML email message is: -------------------------------------------------------- <IMG LOWSRC="javascript:alert('Javascript is executed')"> -------------------------------------------------------- Regards, Georgi Guninski http://www.nat.bg/~joro _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listservat_private ------=_NextPart_000_00A1_01BF561A.34051530 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH9DCCA2Yw ggLPoAMCAQICEA2LT+6q0hhb9HVqnSnhf/swDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5 IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjIzNTk1OVow gcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkg UmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1 YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI 4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2ok kuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbQwgbEwEQYJYIZIAYb4QgEBBAQDAgEGMDUGA1Ud HwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTEuMS4xLmNybDBHBgNVHSAE QDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3Np dG9yeS9SUEEwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEA QnwO34x5TKy/COxNVS9QiaDFXk4uXpUym3mtZRELHEpSxNWoMSGO3hCbbAjFB+YDuefINHgJCfK8 BkL4WoyD0YreqiL12eMh0s9ljAYzsM0gsjPNCr0+4Z3BNalksKelJFvp8WjrE8R8N/SUZA2axb0z F++DM6A+5ao+rthzH60wggSGMIID76ADAgECAhAFW6O2XDQrpbsyUnX/rOAiMA0GCSqGSIb3DQEB BAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAu IEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTIzMDAwMDAwMFoX DTAwMTIyOTIzNTk1OVowggEqMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5 L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3Qg VmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQgRnVsbCBT ZXJ2aWNlMSswKQYDVQQDFCJNaWNyb3NvZnQgU2VjdXJpdHkgUmVzcG9uc2UgQ2VudGVyMSMwIQYJ KoZIhvcNAQkBFhRzZWN1cmVAbWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAuafK0KY7jxRWX/ii7REot/dZP/KDsOsziDseqHVDBX7pX9HJUpryp/Lm3Hznkf+J9LkxobwZ zDtMz/4OsSqA8BSM2P+QzWNlZme8CyMab38A4wU0gHcOd7etKyc7PD5gduhYGyevQWPq57Ed8YPh 1KJPgSL2Euhkx1M5sEHaJxECAwEAAaOCAQYwggECMAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCB ngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D UFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBp bmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIB AQQEAwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9jbGFzczEu Y3JsMA0GCSqGSIb3DQEBBAUAA4GBADmfkDIvEguiQBuI/YXWT22bRzz7CdKPIO4NsjeiARnEJIrs Urbh/kH2L9T+v6NeLp94JNQhBZjb49mvXndQIe624TPo3YbEuM3WbyHr1OwEM32OmRTX4un3kJbH l4Lyg9JEiL4csPbFLuL77oGDeMLYmCURRwwlCpuC9vgrNqV7MYIDHDCCAxgCAQEwgeEwgcwxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixM SUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vi c2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVbo7ZcNCuluzJSdf+s4CIwCQYFKw4DAhoF AKCCAZAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwMTA0MDI0 MTUzWjAjBgkqhkiG9w0BCQQxFgQUo2O88rGUe2Z2dQq/OG4UNtEY8CAwPAYJKoZIhvcNAQkPMS8w LTAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTCB8gYJKwYBBAGC NxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJ bmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBD QSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAFW6O2XDQrpbsy UnX/rOAiMA0GCSqGSIb3DQEBAQUABIGAiQ0PifQ4zQ8ncFn78izdBPKMybl2hXjP8yjpmmq+XVR/ pgeSAdbXmqDQlcPc122flzbuwAcLOa4wo1fP8RGc3koH7inpWWHf0B0T7vodAkrvnlnBwti88ylJ ulMu8mWPIzwxFUJnQ4k5JL9+BDwzCTENrN7jUwkHKoSaZYgIbV8AAAAAAAA= ------=_NextPart_000_00A1_01BF561A.34051530--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:54 PDT