Hotmail vulnerable to character replacement hole (jAvascript:)
----------------------------------------------------------------------------
----
SUMMARY
Security holes in Hotmail are dangerous because of two important reasons.
First, Hotmail is used by a huge number of inexperienced Internet users
(who do not wish to pay for 'regular' e-mail accounts). Those users are
mostly security unaware, and security holes in Hotmail are likely to make
them vulnerable to attack. The second reason Hotmail attacks are
dangerous, is the fact that it's extremely easy to conduct such an attack.
Unlike a 'malicious web site' attack, the attacker can initiate the attack
(simply by sending an e-mail message). It is easy to verify if the victim
is vulnerable (an e-mail of the form [EMAIL PROTECTED] is certainly a
hotmail user) and, again - unlike a normal HTML attack, the attacker can
be totally anonymous (since there it is fairly trivial to hide the origin
of an e-mail message).
This newly discovered Hotmail security hole is very similar to the
previous holes (see the 'additional information' section of this
advisory), and although Microsoft is rather quick in closing the security
holes shortly after they're discovered, the fact that most of those holes
are variation of the same problem shows that reading mail in Hotmail using
a JavaScript-enabled browser is a real security risk.
This new hole bypasses Hotmail's JavaScript filtering mechanism by writing
the hexadecimal value of the JavaScript tag instead of writing the actual
tag (the code looks like this: <IMG SRC="jAvascript:alert('Javascript
is executed')">). This code, when viewed in Internet Explorer, allows the
attacker to read the victim's e-mail, and possibly perform other actions
on the victim's mailbox.
DETAILS
Some time ago Hotmail fixed the "javasCript" bug, but now a similar
issue arises using hexadecimal codes. A security flaw in Hotmail allows
injecting and executing JavaScript code in an email message. This exploit
works on Internet Explorer if Active Code execution is enabled.
Hotmail filters the "javascript:" protocol for security reasons, but it
does not filter the code: "jAvascript" where "A" is the
hexadecimal ASCII code of "A". So the following HTML is executed <IMG
SRC="jAvascript:alert('Javascript is executed')"> if the user has
enabled automatically loading of images (most users have).
This is similar to other Hotmail vulnerabilities, and they all have the
same affect.
Workaround:
Disable Active Scripting
Exploit code:
<IMG SRC="jAvascript:alert('Javascript is executed')">
ADDITIONAL INFORMATION
Similar Hotmail vulnerabilities:
<http://www.securiteam.com/exploits/Yet_another_Hotmail_security_hole_-_inje
cting_JavaScript_in_IE_using___import_url_javascript______.html'> Yet
another Hotmail security hole - injecting JavaScript in IE using '@import
url(javascript:...)'
<http://www.securiteam.com/securitynews/A_major_security_flaw_in_Hotmail_all
ows_execution_of_JavaScript_code.html> A major security flaw in Hotmail
allows execution of JavaScript code
<http://www.securiteam.com/securitynews/HotMail__cookies__security_vulnerabi
lity.html> HotMail 'cookies' security vulnerability
<http://www.securiteam.com/securitynews/Hotmail_vulnerability_leaves_users_t
otally_exposed.html> Hotmail vulnerability leaves users totally exposed
<http://www.securiteam.com/securitynews/New_security_vulnerability_in_Hotmai
l__injection_of_JavaScript_to_LOWSRC_.html> New security vulnerability in
Hotmail (injection of JavaScript to LOWSRC)
The information was provided by: <mailto:[EMAIL PROTECTED]> Georgi Guninski.
-------
AFLHI 058009990407128029/089802---(102598//991024)
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/milis@hackerlink.or.id
