News for wibblers. Stuff that really doesn't matter. |
|
News for wibblers. Stuff that really doesn't matter. |
|
Save the teapot fund
New CSS web design for Wibble proudly provided by Kelv. Please contact the webmaster with any questions or concerns. |
Wibble > List archives > bugtraq > 2000 [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Hotmail security hole - injecting JavaScript using <IMG
<x-html>
<P>I have tested the code included in Georgi's email an it seems that Yahoo's web-based email is also vulnerable. </P>
<P>solutions: disable JS </P>
<P><B><I>Kevin Hecht <khecht19@xxxxxxx></B></I> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #1010ff 2px solid; MARGIN-LEFT: 5px; PADDING-LEFT: 5px">Georgi Guninski wrote:<BR>><BR>> Georgi Guninski security advisory #1, 2000<BR>><BR>> Hotmail security hole - injecting JavaScript using <IMG<BR>> LOWSRC="javascript:...."><BR>><BR>> Disclaimer:<BR>> The opinions expressed in this advisory and program are my own and not<BR>> of any company.<BR>> The usual standard disclaimer applies, especially the fact that Georgi<BR>> Guninski is not liable for any damages caused by direct or indirect use<BR>> of the information or functionality provided by this program.<BR>> Georgi Guninski, bears NO responsibility for content or misuse of this<BR>> program or any derivatives thereof.<BR>><BR>> Description:<BR>> Hotmail allows executing JavaScript code in email messages using <IMG<BR>> LOWSRC="javascript:....">,<BR>> which may compromise user's Hotmail mailbox.<BR>><BR>> Details:<BR>> There is a major security flaw in Hotmail which allows injecting and<BR>> executing JavaScript code in an email message using the javascript<BR>> protocol. This exploit works both on Internet Explorer 5.x (almost sure<BR>> IE 4.x) and Netscape Communicator 4.x.<BR>> Hotmail filters the "javascript:" protocol for security reasons.<BR>> But the following JavaScript is executed: <IMG<BR>> LOWSRC="javascript:alert('Javascript is executed')"> if the user has<BR>> enabled automatically loading of images (most users have).<BR>><BR>> Executing JavaScript when the user opens Hotmail email message allows<BR>> for example displaying a fake login screen where the user enters his<BR>> password which is then stolen.<BR>> I don't want to make a scary demonstration, but it is also possible to<BR>> read user's messages, to send messages from user's name and doing other<BR>> mischief.<BR>> It is also possible to get the cookie from Hotmail, which is dangerous.<BR>> Hotmail deliberately escapes all JavaScript (it can escape) to prevent<BR>> such attacks, but obviously there are holes.<BR>> It is much easier to exploit this vulnerability if the user uses<BR>> Internet Explorer 5.x<BR>><BR>> Workaround: Disable JavaScript<BR>><BR>> The code that must be included in HTML email message is:<BR>> --------------------------------------------------------<BR>> <IMG lowsrc="javascript:alert('Javascript is executed')"><BR>> --------------------------------------------------------<BR>><BR>> Regards,<BR>> Georgi Guninski<BR>> http://www.nat.bg/~joro<BR><BR>A quick check of the Messenger Express web client built into Netscape<BR>Messaging Server 4.1 at one of my sites seems to indicate that it may be<BR>vulnerable as well, as the code above works fine so long as the browser<BR>has JS enabled. However, it doesn't use cookies much if at all, so the<BR>cookie capture risk is lower though it seems plausible that the social<BR>engineering attacks remain a threat.<BR><BR>While Hotmail obvi<br><hr size=1><b>Do You Yahoo!?</b><br>
Talk to your friends online with <a href="http://messenger.yahoo.com/";>Yahoo! Messenger</a>.</x-html>
|
