Vulnerability

    Hotmail

Affected

    Hotmail

Description

    Georgi Guninski found following.   There is a major security  flaw
    in Hotmail which allows injecting and executing JavaScript code in
    an email  message using  the <STYLE>  tag.   The vulnerability is
    present  if  the  user  uses  Internet  Explrer  5.0  or  Netscape
    Communicator 4.x  (though the  exploit is  different).   Executing
    JavaScript when the  user opens Hotmail  email message allows  for
    example displaying a fake login  screen where the user enters  his
    password which is then stolen.  It is also possible to read user's
    messages,  to  send  messages  from  user's  name  and doing other
    mischief.   Hotmail deliberately  escapes all  JavaScript (it  can
    escape) to prevent  such attacks, but  obviously there are  holes.
    It is  much easier  to exploit  these vulnerabilities  if the user
    uses Internet Explorer 5.0.  Note: This is not a browser  problem,
    it is Hotmail's problem.

    The code that must  be embeded in a  HTML email message is  for IE
    5.0:

        <P STYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >

    For Netscape Communicator:

        <STYLE TYPE="text/javascript">
        alert('JavaScript is executed');
        a=window.open(document.links[2]);
        setTimeout('alert(\'The first message in your Inbox is from:
        \'+a.document.links[26].text)',20000);
        </STYLE>

    Metal Hurlant added  following two ways  to the list.   For NS4.x.
    javascript entities:

        <anytag anyparam=&{alert("this will run too")}; >

    NS4.x. mocha: urls:

        <img src=mocha:"alert('this will run as well')" width=1 height=1>

    This is actually more than just another hotmail glitch.  Many  web
    services are doing things wrong:

    - Cookies  can get  stolen through  CGI scripts  inserting without
      (enough)  checks  their  input  in  the HTML they generate, thus
      allowing scripts to  run.  Stealing  cookies is only  an example
      here.  Once you run a script on the same domain as the  targeted
      web service, that script can do anything the user himself can do
      (except the script  doesn't know what  the user knows,  like the
      user's password.) Disabling scripts can help, if the web service
      allows you to  do so.   The fix is  obvious, but time-consuming:
      Every  single  server  script  must  be  verified and patched to
      prevent html tags  to go unfiltered.   As long as  their is  one
      script left unchecked, the web service isn't safe.

    - Keyed  URLs can  be found  by using  the referrer  field: try to
      insert a  link in  a mail  message. watch  the document.referrer
      property you obtain this way.

    The  problem  with  JavaScript  enitities  (ie,  &{<expression>};)
    happens all of over the Web.  Here are some places that Richard M.
    Smith found where  it is possible  to inject JavaScript  code into
    Web pages:

        1.  Most Web Email services
        2.  Most Web message board software
        3.  Most guest book software
        4.  Yahoo profiles (this has now been fixed)
        5.  Techstocks Web board messages.
        6.  Some search engine result pages
        7.  eBay auction postings
        8.  Netcenter (now fixed)

    Basically a JavaScript enitity can be added to the end of any  URL
    for an  image or  a link.   When the  page is  displayed, the code
    in the enitity is executed.  Pretty much any Web site that  allows
    user supplied information can have the problem.

Solution

    Workaround: Disable JavaScript