COMMAND
Hotmail
SYSTEMS AFFECTED
Hotmail
PROBLEM
Georgi Guninski found following. There is a major security flaw
in Hotmail which allows injecting and executing JavaScript code in
an email message using the <STYLE> tag. The vulnerability is
present if the user uses Internet Explrer 5.0 or Netscape
Communicator 4.x (though the exploit is different). Executing
JavaScript when the user opens Hotmail email message allows for
example displaying a fake login screen where the user enters his
password which is then stolen. It is also possible to read user's
messages, to send messages from user's name and doing other
mischief. Hotmail deliberately escapes all JavaScript (it can
escape) to prevent such attacks, but obviously there are holes.
It is much easier to exploit these vulnerabilities if the user
uses Internet Explorer 5.0. Note: This is not a browser problem,
it is Hotmail's problem.
The code that must be embeded in a HTML email message is for IE
5.0:
<P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >
For Netscape Communicator:
<STYLE TYPE="text/javascript">
alert('JavaScript is executed');
a=window.open(document.links[2]);
setTimeout('alert(\'The first message in your Inbox is from:
\'+a.document.links[26].text)',20000);
</STYLE>
Metal Hurlant added following two ways to the list. For NS4.x.
javascript entities:
<anytag anyparam=&{alert("this will run too")}; >
NS4.x. mocha: urls:
<img src=mocha:"alert('this will run as well')" width=1 height=1>
This is actually more than just another hotmail glitch. Many web
services are doing things wrong:
- Cookies can get stolen through CGI scripts inserting without
(enough) checks their input in the HTML they generate, thus
allowing scripts to run. Stealing cookies is only an example
here. Once you run a script on the same domain as the targeted
web service, that script can do anything the user himself can do
(except the script doesn't know what the user knows, like the
user's password.) Disabling scripts can help, if the web service
allows you to do so. The fix is obvious, but time-consuming:
Every single server script must be verified and patched to
prevent html tags to go unfiltered. As long as their is one
script left unchecked, the web service isn't safe.
- Keyed URLs can be found by using the referrer field: try to
insert a link in a mail message. watch the document.referrer
property you obtain this way.
The problem with JavaScript enitities (ie, &{<expression>};)
happens all of over the Web. Here are some places that Richard M.
Smith found where it is possible to inject JavaScript code into
Web pages:
1. Most Web Email services
2. Most Web message board software
3. Most guest book software
4. Yahoo profiles (this has now been fixed)
5. Techstocks Web board messages.
6. Some search engine result pages
7. eBay auction postings
8. Netcenter (now fixed)
Basically a JavaScript enitity can be added to the end of any URL
for an image or a link. When the page is displayed, the code
in the enitity is executed. Pretty much any Web site that allows
user supplied information can have the problem.
SOLUTION
Workaround: Disable JavaScript