This is expected behavior. JavaScript can be inserted almost anywhere, and this is a good thing. As Henrik Nordstrom pointed out earlier, JavaScript might be used in this particular instance to calculate the URL of the image tag. The point of JavaScript is to add interactive functionality to all the HTML objects. Browsers recognize this, web developers do not. What "would be nice", is if someone would publish an algorithm that, to current standard specs, removes all non-permitted HTML tags, any non-permitted attributes to those tags, and any JavaScript. Any takers? -----Original Message----- From: Nick FitzGerald [mailto:nick@VIRUS-L.DEMON.CO.UK] Sent: Tuesday, January 04, 2000 10:59 PM To: BUGTRAQat_private Subject: Re: Yet another Hotmail security hole - injecting JavaScript in > Georgi Guninski security advisory #2, 2000 > > Yet another Hotmail security hole - injecting JavaScript in IE using > <IMG DYNRC="javascript:...."> <<snip>> It would be nice to think that while fixing the previous hole (<IMG LOWSRC="javascript:....">), one or two of the MS/Hotmail security staff might have wondered "What other parameters on this and other tags may be similarly exploitable?". Yeah, right... I note that no browser fixes have been notified/posted yet, or is this a Hotmail-only hole (i.e. "expected behaviour" in the browser)? Regards, Nick FitzGerald
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:07 PDT