| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Jul 2004 18:33:10 +0200 From: "GreyMagic Security" <security@...ymagic.com> To: "Paul" <paul@...yhats.cjb.net>, <bugtraq@...urityfocus.com> Subject: Re: Hotmail Cross Site Scripting Vulnerability >Hotmail Cross Site Scripting Vulnerability --snip-- >Well, Hotmail was just nice enough to be a little lenient on what >goes in-between those 'if' tags. I suppose that's so MS Word can >send stuff through email to Hotmail customers without it getting >messed up. The problem is not "if" tags, the problem is the syntax in which they are represented in the document (HTML Comments). Hotmail doesn't check anything between HTML comments because it assumes they won't be processed by the browser, not because it tries to leave backdoors for MSO docs. Hotmail's assumption that HTML comments are safe collides with the well-documented concept of "conditional comments" by the very same company. See http://msdn.microsoft.com/workshop/author/dhtml/overview/ccomment_ovw.asp for more information. Btw, this will work just fine without any need for MSO trickery: <!--[if IE gte 5]> <img src="javascript:alert()"> <![endif]--> Simply checks if IE's major version is equal or greater than 5 and executes the content if true (older versions don't have the conditional comments feature, but they're irrelevant market-share wise anyway). Cheers.
Powered by blists - more mailing lists