Re: Hotmail security hole - injecting JavaScript using <IMG

From: Metal Hurlant (metal_hurlantat_private)
Date: Wed Jan 05 2000 - 02:37:49 PST

Next message: Casper Dik: "Re: Symlinks and Cryogenic Sleep"

Previous message: cogNiTioN: "Re: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper"
Maybe in reply to: Georgi Guninski: "Hotmail security hole - injecting JavaScript using <IMG"
Next in thread: ckat_private: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 04 Jan 2000, Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag? While a
> JavaScript script may load an image on its own, I don't see why the
> script itself should be loaded and parsed from an <IMG> tag.

Netscape actually tries to parse the value returned by the script, so if your
script returns, for example, a valid XPM string, you'll get that image
displayed.

What could be useful would be a tag working like
<blockscript key=randompieceofdata>

</blockscript key=samepieceofdata>

anything between these tags would still get parsed as HTML, but with no script
hook working.
That way, filtering scripts out of untrusted HTML would become the browser
manufacturers responbility, and things would be a lot easier for everyone else.

Just dreaming,
Henri Torgemane

Next message: Casper Dik: "Re: Symlinks and Cryogenic Sleep"
Previous message: cogNiTioN: "Re: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper"
Maybe in reply to: Georgi Guninski: "Hotmail security hole - injecting JavaScript using <IMG"
Next in thread: ckat_private: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:38 PDT