exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 3, 2003
Authored by Frank Denis

Multiple web-based mail systems, when browsed through Internet Explorer, may allow for arbitrary Javascript execution.

tags | advisory, web, arbitrary, javascript
SHA-256 | a34a778bae5158f0d6f80286e755627144609ff52df498c4a83f33efc899ac8d


Change Mirror Download
Summary : Multiple web-based mail systems browsed through Internet Explorer
can allow arbitrary javascript execution.
Date : 02/10/2003
Author : Frank Denis <j@pureftpd.org>

------------------------[ Description ]------------------------

The issue described here doesn't reveal a vulnerability in a specific
product. But the combination of features of Internet Explorer with features
of common webmail software can create a vulnerability.

1) Internet Explorer interprets stylesheets for any HTML tag, even
non-existent ones. For instance :

<xbody style="...">

is not a valid tag, but attributes are evaluated.

It may be considered as a bug or as a logical behavior, your mileage may
vary. And this alone is not a security flaw.

2) Internet Explorer can evaluate Javascript expressions in style sheets
through the "expression" keyword :

<style type="text/css">
a {
width: expression(6 * 9 + 'px');

This is not a bug either, but a proprietary, properly documented extension.

3) Due to the increase of HTML-only email, most popular webmail software can
display HTML email. In this context, Javascript _must_ be removed from every
email. To achieve this result, various tricks are used by webmail software :

- Removal or mangling of <script> tags,

- Removal or mangling of "javascript:" urls.

- Removal or mangling of properties like "onmouseover".

------------------------[ Vulnerability ]------------------------

By combining 2) with 3) and if the webmail doesn't filter out stylesheets
nor the "expression" keyword, any Javascript contained in a message will be
executed as soon as the recipient will display it.

Some webmail software are aware of that issue for a while and they are
mangling or filtering any occurrence of "expression". However, the mangling
may not work when the name of the property is escaped (like "e\xpression")
as CSS permits. Or it may not work in the context of non-existent-because-
mangled tags. The former worked on Yahoo! until yesterday (the issue was
fixed quickly after being reported, they are nice and reactive guys).

But most software simply don't know about "expression". They are _not_
faulty, though. This is not a bug nor a vulnerability. "expression" is a
proprietary extension. Webmails don't have to know about every possible
implication of every proprietary extension of every version of every
browser out there.

However, when the following conditions are met, the Javascript is executed :

- "expression" keywords aren't filtered/mangled by the webmail software.

- The client software is Internet Explorer.

- Javascript isn't disabled in the client software. Unfortunately, a lot of
public webmail systems simply don't work when Javascript is disabled.

------------------------[ Impact ]------------------------

Depending on the webmail software, complete control of the client's session
may be possible. Private mail can be deleted or bounced to evil addresses,
cookies and session identifiers can be stolen, etc.

------------------------[ Proof of concept ]------------------------

Webmail software like to filter or mangle stylesheets. Some software
totally remove everything inside <head>...</head> tags. Some software
totally remove <body>...</body> tags (possibly killing style info by the way)
instead of converting them to something like <div>...</div>. Some software
totally remove <style>...</style> definitions but accept inline css.
This is bad, because it encourages people to send broken HTML 3 code
instead of well-formed, accessible XHTML documents.
The following HTML email tries to add workarounds for this kind of filters
in order to test whether the "expression" keyword that properly gets
evaluated on Internet Explorer. It currently works at least with IE 6 +
Squirrelmail, Yahoo! and the software of a dozen public and ISP webmail
services I have an account on.

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<title>Webmail test</title>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" />
<body style="width:&#x65;xpres\sion(alert(1))">
<style type="text/css">
h1 {
<h1 style="width:&#x65;xpression(alert(3))">...</h1>
<div id="just-for-fun">
<a href="&#x6A;avascript:window.open(document.location);"

------------------------[ Fix ]------------------------

For the end user, there are four ways to avoid this issue :

- Don't use Internet Explorer to connect to webmails.
- Disable Javascript.
- Configure the webmail to only display mails as plain text.
- Only connect to webmails when you are 100% sure the software it is
powered by completely filters or mangles "expression" keywords and hope that
software and the version won't change silently.

__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By