From: Georgi Guninski [joro@NAT.BG] Sent: Wednesday, September 22, 1999 8:48 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Yet another major Hotmail security hole - injecting JavaScript using "javasCript:" Yet another major Hotmail security hole - injecting JavaScript using "javasCript:" There is a major security flaw in Hotmail which allows injecting and executing JavaScript code in an email message using the javascript protocol. This exploit works both on Internet Explorer 5.0 (guess IE 4.x) and Netscape Communicator 4.x. Hotmail filters the "javascript:" protocol for security reasons. But it does not filter properly the following case: "javasCript:" where "C" is the ASCII code of "C". So the following HTML is executed

if the user has enabled automatically loading of images (most users have). Probably this may be used in other HTML tags. Executing JavaScript when the user opens Hotmail email message allows for example displaying a fake login screen where the user enters his password which is then stolen. I don't want to make a scary demonstration, but I am sure it is also possible to read user's messages, to send messages from user's name and doing other mischief. Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes. It is much easier to exploit this vulnerability if the user uses Internet Explorer 5.0. AFAIK this is not a browser problem, it is Hotmail's problem. Workaround: Disable JavaScript The code is:

Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Regards, Georgi Guninski http://www.nat.bg/~joro