Yet another Hotmail security hole - injecting JavaScript using

From: Georgi Guninski (joroat_private)
Date: Mon Jan 10 2000 - 06:31:59 PST

Next message: Theodor Ragnar Gislason: "Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow"

Previous message: redhat-watch-listat_private: "[RHSA-2000:002] New lpr packages available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Georgi Guninski security advisory #5, 2000

Yet another Hotmail security hole - injecting JavaScript using
"j&#x41;vascript:"

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or  indirect use
of the information or functionality provided by this program. Georgi
Guninski, bears NO responsibility for content or misuse of this program
or any derivatives thereof.

Description:
Hotmail allows executing JavaScript code in email messages using <IMG
SRC="j&#x41;vascript:alert('Javascript is executed')">,
which may compromise user's Hotmail mailbox when viewed with Internet
Explorer.

Details:
Some time ago Hotmail fixed the "javas&#67ript" bug, but now a similar
issue arrises using hexademical codes of characters. There is a security
flaw in Hotmail which allows injecting and executing JavaScript code in
an email message using the javascript protocol. This exploit works on
Internet Explorer.
Hotmail filters the "javascript:" protocol for security reasons. But it
does not filter properly the following case: "j&#x41;vascript" where
"&#x41" is the hexademical ASCII code of "A". So the following HTML is
executed <IMG SRC="j&#x41;vascript:alert('Javascript is executed')"> if
the user has enabled automatically loading of images (most users have).

Executing JavaScript when the user opens Hotmail email message allows
for example displaying a fake login screen where the user enters his
password which is then stolen. I don't want to make a scary
demonstration, but it is also possible to read user's messages, to send
messages from user's name and doing other mischief.
It is also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.

Workaround: Disable Active Scripting

The code is:
---------------------------------------------------------------
<IMG SRC="j&#x41;vascript:alert('Javascript is executed')">
---------------------------------------------------------------

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Theodor Ragnar Gislason: "Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow"
Previous message: redhat-watch-listat_private: "[RHSA-2000:002] New lpr packages available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:25 PDT