lug-bg: Lug-bg: Otnowo Bulgarin se e predstawil dobre 4estito na MS
- Subject: lug-bg: Lug-bg: Otnowo Bulgarin se e predstawil dobre 4estito na MS
- From: slavi@xxxxxxxxxxxxxxxxxxxxx (Svetoslav Traikov)
- Date: Mon, 11 Jun 2001 02:59:47 +0300 (EEST)
W4era se roveh iz rootshell org i wijte na kakwo popadnah:)
(Ed: A quick check of other services that allow you to read your own mail
from any POP3 server found that hotmail isn't the only one with this
problem. We went to www.thatweb.com and found they have the same problem.
A test of Yahoo!Mail found that they replace javascript with java-script
anywhere in an e-mail.)
Hotmail security hole - injecting JavaScript using
Georgi Guninski <joro@xxxxxx>
Georgi Guninski security advisory #1, 2000
Hotmail security hole - injecting JavaScript using <IMG
LOWSRC="javascript:....">
Disclaimer:
The opinions expressed in this advisory and program are my own and not of
any company. The usual standard disclaimer applies, especially the fact
that
Georgi Guninski is not liable for any damages caused by direct or indirect
use of the information or functionality provided by this program. Georgi
Guninski, bears NO responsibility for content or misuse of this program or
any derivatives thereof.
Description:
Hotmail allows executing JavaScript code in email messages using <IMG
LOWSRC="javascript:....">,
which may compromise user's Hotmail mailbox.
Details:
There is a major security flaw in Hotmail which allows injecting and
executing JavaScript code in an email message using the javascript
protocol.
This exploit works both on Internet Explorer 5.x (almost sure IE 4.x) and
Netscape Communicator 4.x. Hotmail filters the "javascript:" protocol for
security reasons. But the following JavaScript is executed: <IMG
LOWSRC="javascript:alert('Javascript is executed')"> if the user has
enabled
automatically loading of images (most users have).
Executing JavaScript when the user opens Hotmail email message allows for
example displaying a fake login screen where the user enters his password
which is then stolen. I don't want to make a scary demonstration, but it
is
also possible to read user's messages, to send messages from user's name
and
doing other mischief. It is also possible to get the cookie from Hotmail,
which is dangerous. Hotmail deliberately escapes all JavaScript (it can
escape) to prevent such attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses Internet Explorer
5.x
Workaround: Disable JavaScript
The code that must be included in HTML email message is:
--------------------------------------------------------
<IMG LOWSRC="javascript:alert('Javascript is executed')">
--------------------------------------------------------
Regards,
Georgi Guninski
http://www.nat.bg/~joro
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|