--0-1681692777-947018805=:19576 Content-Type: text/plain; charset=us-ascii I have tested the code included in Georgi's email an it seems that Yahoo's web-based email is also vulnerable. solutions: disable JS Kevin Hecht <khecht19at_private> wrote: Georgi Guninski wrote: > > Georgi Guninski security advisory #1, 2000 > > Hotmail security hole - injecting JavaScript using > LOWSRC="javascript:...."> > > Disclaimer: > The opinions expressed in this advisory and program are my own and not > of any company. > The usual standard disclaimer applies, especially the fact that Georgi > Guninski is not liable for any damages caused by direct or indirect use > of the information or functionality provided by this program. > Georgi Guninski, bears NO responsibility for content or misuse of this > program or any derivatives thereof. > > Description: > Hotmail allows executing JavaScript code in email messages using > LOWSRC="javascript:....">, > which may compromise user's Hotmail mailbox. > > Details: > There is a major security flaw in Hotmail which allows injecting and > executing JavaScript code in an email message using the javascript > protocol. This exploit works both on Internet Explorer 5.x (almost sure > IE 4.x) and Netscape Communicator 4.x. > Hotmail filters the "javascript:" protocol for security reasons. > But the following JavaScript is executed: > LOWSRC="javascript:alert('Javascript is executed')"> if the user has > enabled automatically loading of images (most users have). > > Executing JavaScript when the user opens Hotmail email message allows > for example displaying a fake login screen where the user enters his > password which is then stolen. > I don't want to make a scary demonstration, but it is also possible to > read user's messages, to send messages from user's name and doing other > mischief. > It is also possible to get the cookie from Hotmail, which is dangerous. > Hotmail deliberately escapes all JavaScript (it can escape) to prevent > such attacks, but obviously there are holes. > It is much easier to exploit this vulnerability if the user uses > Internet Explorer 5.x > > Workaround: Disable JavaScript > > The code that must be included in HTML email message is: > -------------------------------------------------------- > > -------------------------------------------------------- > > Regards, > Georgi Guninski > http://www.nat.bg/~joro A quick check of the Messenger Express web client built into Netscape Messaging Server 4.1 at one of my sites seems to indicate that it may be vulnerable as well, as the code above works fine so long as the browser has JS enabled. However, it doesn't use cookies much if at all, so the cookie capture risk is lower though it seems plausible that the social engineering attacks remain a threat. While Hotmail obviously has a filtering hole, should the browser manufacturers be on the hook here as well, given that javascript: URLs probably shouldn't be rendered at all by the tag? While a JavaScript script may load an image on its own, I don't see why the script itself should be loaded and parsed from an tag. -- Kevin Hecht - http://idt.net/~khecht19/ "I am an optimist. It does not seem too much use being anything else." - Winston Churchill --------------------------------- Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. --0-1681692777-947018805=:19576 Content-Type: text/html; charset=us-ascii <P>I have tested the code included in Georgi's email an it seems that Yahoo's web-based email is also vulnerable. </P> <P>solutions: disable JS </P> <P><B><I>Kevin Hecht <khecht19at_private></B></I> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #1010ff 2px solid; MARGIN-LEFT: 5px; PADDING-LEFT: 5px">Georgi Guninski wrote:<BR>><BR>> Georgi Guninski security advisory #1, 2000<BR>><BR>> Hotmail security hole - injecting JavaScript using <IMG<BR>> LOWSRC="javascript:...."><BR>><BR>> Disclaimer:<BR>> The opinions expressed in this advisory and program are my own and not<BR>> of any company.<BR>> The usual standard disclaimer applies, especially the fact that Georgi<BR>> Guninski is not liable for any damages caused by direct or indirect use<BR>> of the information or functionality provided by this program.<BR>> Georgi Guninski, bears NO responsibility for content or misuse of this<BR>> program or any derivatives thereof.<BR>><BR>> Description:<BR>> Hotmail allows executing JavaScript code in email messages using <IMG<BR>> LOWSRC="javascript:....">,<BR>> which may compromise user's Hotmail mailbox.<BR>><BR>> Details:<BR>> There is a major security flaw in Hotmail which allows injecting and<BR>> executing JavaScript code in an email message using the javascript<BR>> protocol. This exploit works both on Internet Explorer 5.x (almost sure<BR>> IE 4.x) and Netscape Communicator 4.x.<BR>> Hotmail filters the "javascript:" protocol for security reasons.<BR>> But the following JavaScript is executed: <IMG<BR>> LOWSRC="javascript:alert('Javascript is executed')"> if the user has<BR>> enabled automatically loading of images (most users have).<BR>><BR>> Executing JavaScript when the user opens Hotmail email message allows<BR>> for example displaying a fake login screen where the user enters his<BR>> password which is then stolen.<BR>> I don't want to make a scary demonstration, but it is also possible to<BR>> read user's messages, to send messages from user's name and doing other<BR>> mischief.<BR>> It is also possible to get the cookie from Hotmail, which is dangerous.<BR>> Hotmail deliberately escapes all Ja! vaScript (it can escape) to prevent<BR>> such attacks, but obviously there are holes.<BR>> It is much easier to exploit this vulnerability if the user uses<BR>> Internet Explorer 5.x<BR>><BR>> Workaround: Disable JavaScript<BR>><BR>> The code that must be included in HTML email message is:<BR>> --------------------------------------------------------<BR>> <IMG lowsrc="javascript:alert('Javascript is executed')"><BR>> --------------------------------------------------------<BR>><BR>> Regards,<BR>> Georgi Guninski<BR>> http://www.nat.bg/~joro
><BR>A quick check of the Messenger Express web client built into Netscape<BR>Messaging Server 4.1 at one of my sites seems to indicate that it may be<BR>vulnerable as well, as the code above works fine so long as the browser<BR>has JS enabled. However, it doesn't use cookies much if at all, so the<BR>cookie capture risk is lower though it seems plausible that the social<BR>engineering attacks remain a threat.<BR><BR>While Hotmail obviously has a filtering hole, should the browser<BR>manufacturers be on the hook here as well, given that javascript: URLs<BR>probably shouldn't be rendered at all by the <IMG> tag? While a<BR>JavaScript script may load an image on its own, I don't see why the<BR>script itself should be loaded and parsed from an <IMG> tag.<BR>--<BR>Kevin Hecht - http://idt.net/~khecht19/
>"I am an optimist. It does not seem too<BR>much use being anything else." - Winston Churchill<BR><BR><BR></BLOCKQUOTE> <br><hr size=1><b>Do You Yahoo!?</b><br> Talk to your friends online with <a href="http://messenger.yahoo.com/">Yahoo! Messenger</a>. --0-1681692777-947018805=:19576--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:01 PDT