[11899] in bugtraq
Re: Hotmail security vulnerability - injecting JavaScript using
daemon@ATHENA.MIT.EDU (Olaf Titz)
Tue Sep 14 20:48:11 1999
Message-Id: <E11QoOz-0000Ko-00@g212.hadiko.de>
Date: Tue, 14 Sep 1999 10:57:25 +0300
Reply-To: Olaf Titz <olaf@BIGRED.INKA.DE>
From: Olaf Titz <olaf@BIGRED.INKA.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In article <37DCF0FE.908E4B4F@nat.bg> you write:
> Note: This is not a browser problem, it is Hotmail's problem.
It is a browser problem, at least for the Netscape version.
> <P STYLE="left:expression(eval('alert(\'JavaScript is
> executed\');window.close()'))" >
One could argue that styles can be computed via Javascript...
> <STYLE TYPE="text/javascript">
...but that is ridiculous. The browser should simply ignore a
stylesheet of an unknown type, there is a reason for the type
parameter after all. (Unless it is a deliberate feature that you can
substitute STYLE for SCRIPT, which I somehow doubt.)
This is not only a problem for Hotmail but for all sorts of proxies
which filter Javascript for security reasons. Since there is at least
one recent version of both NC and IE which _doesn't_ let you disable
Javascript at all due to bugs, such filtering is an absolute
necessity, but you need to know where in the data stream it can
appear.
Btw. the example given for IE is a classic example of what is so wrong
with Javascript: you can do anything with it - including e.g. trivial
stealing of passwords by popping up fake login dialogs - _even if it
doesn't make sense in the context_. This alone is a reason to
completely block and disable it.
Olaf
