[11911] in bugtraq
Re: Hotmail security vulnerability - injecting JavaScript
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Wed Sep 15 04:22:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37DF48BA.2D0B3F9@nat.bg>
Date: Wed, 15 Sep 1999 10:20:26 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
From: Georgi Guninski <joro@NAT.BG>
X-To: Olaf Titz <olaf@BIGRED.INKA.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Olaf Titz wrote:
>
> In article <37DCF0FE.908E4B4F@nat.bg> you write:
> > Note: This is not a browser problem, it is Hotmail's problem.
>
> It is a browser problem, at least for the Netscape version.
I continue to think this is NOT a browser problem. In both Netscape and
Internet Explorer the behaviour of executing JavaScript via STYLE tag is
fully documented, check the documentation. The fact that Hotmail does
not filter this kind of JavaScript is a Hotmail's problem.
>
> > <P STYLE="left:expression(eval('alert(\'JavaScript is
> > executed\');window.close()'))" >
>
> One could argue that styles can be computed via Javascript...
>
This definitely works, I have tried it numerous times. The same may be
reproduced by:
<A HREF="#" STYLE="left:(expression(...))">link</A> and in many other
cases.
> > <STYLE TYPE="text/javascript">
>
> ...but that is ridiculous. The browser should simply ignore a
> stylesheet of an unknown type, there is a reason for the type
> parameter after all. (Unless it is a deliberate feature that you can
> substitute STYLE for SCRIPT, which I somehow doubt.)
>
Again, this behaviour is fully documented in Netscape's documentation.
Regards,
Georgi
