Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Hotmail Cross-Site Scripting Vulnerability #1

from [Rafel Ivgi] Network Security [Permanent Link]
Subject: Hotmail Cross-Site Scripting Vulnerability #1
Date: Fri, 15 Oct 2004 10:55:26 +0200 
Finjan Security Advisory
=================
Hotmail Cross-Site Scripting Vulnerability #1


Introduction
------------
Finjan has discovered a script injection vulnerability in
Hotmail that allows a remote attacker to execute malicious
scripts when the victim is reading his/her mail.


Technical Description
---------------------
Hotmail’s mobile code filtering mechanism is based on an active
content filter whose purpose is to block the injection of any
active content into Hotmail messages. Hotmail’s filter identifies
any possibly malicious HTML tags, properties and elements,
and then modifies them into a non-malicious code.

When analyzing an HTML condition comment tag
(for example: “<![if IE gte 4]>”), Hotmail’s filter changes it to
a comment (e.g. “<! [if IE gte 4]>”). A space character is added
after the “!”, making the code inside the condition be treated as
a comment rather than as an executable. Any potentially malicious
code inside the condition is not altered.

For example:
<! [if IE gte 4]><style>@\im\port'\ja\vasc\ript:alert()';</style>

In order to bypass this protection, a comment tag can be added before
the condition tag.

For example:
<!--   <![if IE gte 4]><style>@\im\port'\ja\vasc\ript:alert()';</style>

At this stage the code is harmless since Internet browsers treat
this script as an HTML comment. However, a possible risk arises
when an HTML condition comment tag opener (“<!”) is inserted at
the beginning of the code.

For example:
<! <!--   <![if IE gte 4]><style>@\im\port'\ja\vasc\ript:alert()';</style>

Since Hotmail’s HTML filter treats this code as a comment, it does
not filter out the script. In contrast, Internet browsers do not
treat this script as a comment, but rather execute the code inside
the condition tag. In this manner, any tag that supports style,
events or javascript execution can be used to remotely call a javascript file.

The injected javascript code could be used for:
• Automatically launching malicious code
• Stealing the victim’s password by using a spoofed re-login window
• Reading the victim’s inbox and contacts
• Sending email messages without any user authorization.


The Code (Proof of Concept)
----------------------cut here-----------------------
<!
<!--
<![if IE gte 4]><style>@\im\port'\ja\vasc\ript:alert()';</style>
----------------------cut here-----------------------


Vulnerability Status
--------------------
Vendor was notified on Sep 8th, 2004.
The bug is now fixed.


Credit
------
Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd. 


-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet 
Vital Security 1Box(tm)

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Hotmail Cross-Site Scripting Vulnerability #1, Rafel Ivgi <=
Previous by Date:  [VulnWatch] Hotmail Cross Site Scripting Vulnerability #2, Rafel Ivgi
Next by Date:  Yahoo! Mail Cross-Site Scripting Vulnerability, Rafel Ivgi
Previous by Thread:  [VulnWatch] Hotmail Cross Site Scripting Vulnerability #2, Rafel Ivgi
Next by Thread:  Yahoo! Mail Cross-Site Scripting Vulnerability, Rafel Ivgi
Indexes:  [Date] [Thread] [Top] [All Lists]