daemon@ATHENA.MIT.EDU (Dustin Miller)
Fri Jan 7 17:14:58 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <JFEPKGJOFIGAENMDDKPMGELICBAA.dmiller@wfdevelopment.com>
Date: Wed, 5 Jan 2000 13:34:32 -0600
Reply-To: Dustin Miller <dmiller@WFDEVELOPMENT.COM>
From: Dustin Miller <dmiller@WFDEVELOPMENT.COM>
X-To: Metal Hurlant <metal_hurlant@YAHOO.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0001051148390B.00475@jameson.paris.yahoo.com>
This approach would be ideal if it weren't for the fact that any browser
that didn't understand the "blockscript" tag would patently ignore it, and
its intended function would be lost.
Dustin Miller, President
WebFusion Development Incorporated
http://www.wfdevelopment.com
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Metal
Hurlant
Sent: Wednesday, January 05, 2000 4:38 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Hotmail security hole - injecting JavaScript using <IMG
On Tue, 04 Jan 2000, Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag? While a
> JavaScript script may load an image on its own, I don't see why the
> script itself should be loaded and parsed from an <IMG> tag.
Netscape actually tries to parse the value returned by the script, so if
your
script returns, for example, a valid XPM string, you'll get that image
displayed.
What could be useful would be a tag working like
<blockscript key=randompieceofdata>
</blockscript key=samepieceofdata>
anything between these tags would still get parsed as HTML, but with no
script
hook working.
That way, filtering scripts out of untrusted HTML would become the browser
manufacturers responbility, and things would be a lot easier for everyone
else.
Just dreaming,
Henri Torgemane
