Guardian Digital Inc. > InfoCenter > Mailing List Archives > Full Disclosure

Full Disclosure Mailing List Archive

From: Rafel Ivgi, The-Insider (rivgi@finjan.com)
Date: Thu Oct 14 2004 - 13:20:55 EDT

Finjan Security Advisory
Hotmail Cross Site Scripting Vulnerability

Finjan has discovered a script injection vulnerability in Hotmail
that allows a remote attacker to execute malicious scripts when
the victim is reading his/her email.

Technical Description
Hotmail’s mobile code filtering mechanism is based on an active
content filter whose purpose is to block the injection of any
active content into Hotmail messages. Hotmail’s filter identifies
any possibly malicious HTML tags, properties and elements, and
then modifies them into a non-malicious code.

When receiving an email, Hotmail’s filtering engine analyzes
and filters the HTML event properties inside the email’s HTML
tags. Hotmail’s filter identifies the “dangerous” event properties
and renames them to “x”+event, thereby alters their original

For example:
<img onmouseover=alert()></img>
is renamed to:
<img xonmouseover=alert()></img>

While the filter analyzes the data, it does not inspect all content
after the “=” and before the next property. This means that in
the example above, the “alert()” code will not be inspected and
filtered. This can be exploited by creating a malformed HTML
tag which will ‘fake’ a property and then execute an event property.

The malformed request must have the following syntax:
<[anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)]
 [event property]=[javascript]>

For example:
<img MCRC= onmouseover=alert()>

All the data after the “=[special char][space]” tag is considered
by Hotmail’s filter to be the data inside the fake tag, and it
is therefore not inspected. Internet browsers however, execute
this as a valid code.

ANY tag/object that supports HTML events can be used to remotely
call a JavaScript file. The injected JavaScript code is responsible for:
• Automatically launching malicious code
• Stealing the victim’s password by using a spoofed re-login window
• Reading the victim’s inbox and contacts
• Sending email messages without any user authorization

The Code (Proof Of Concept)
----------------------cut here-----------------------
<img src=”http://www.finjan.com/images/logo.gif%94 MCRC= onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)><img>
----------------------cut here-----------------------

Vulnerability Status
Vendor was notified on Sep 8th, 2004.
The bug is now fixed.

Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.