lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <004001c46c1b$bfbb0c80$060010b0@dagon>
Date: Sat, 17 Jul 2004 18:33:10 +0200
From: "GreyMagic Security" <security@...ymagic.com>
To: "Paul" <paul@...yhats.cjb.net>, <bugtraq@...urityfocus.com>
Subject: Re: Hotmail Cross Site Scripting Vulnerability


>Hotmail Cross Site Scripting Vulnerability

--snip--

>Well, Hotmail was just nice enough to be a little lenient on what
>goes in-between those 'if' tags. I suppose that's so MS Word can
>send stuff through email to Hotmail customers without it getting
>messed up.

The problem is not "if" tags, the problem is the syntax in which they are
represented in the document (HTML Comments). Hotmail doesn't check anything
between HTML comments because it assumes they won't be processed by the
browser, not because it tries to leave backdoors for MSO docs. Hotmail's
assumption that HTML comments are safe collides with the well-documented
concept of "conditional comments" by the very same company.

See
http://msdn.microsoft.com/workshop/author/dhtml/overview/ccomment_ovw.asp
for more information.

Btw, this will work just fine without any need for MSO trickery:

<!--[if IE gte 5]> <img src="javascript:alert()"> <![endif]-->

Simply checks if IE's major version is equal or greater than 5 and executes
the content if true (older versions don't have the conditional comments
feature, but they're irrelevant market-share wise anyway).

Cheers.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ