exploit the possibilities


Posted Oct 3, 2003
Authored by Frank Denis

Multiple web-based mail systems, when browsed through Internet Explorer, may allow for arbitrary Javascript execution.

tags | advisory, web, arbitrary, javascript
MD5 | f43881251d720373469aeb2a23b33b2f


Change Mirror Download
Summary : Multiple web-based mail systems browsed through Internet Explorer
can allow arbitrary javascript execution.
Date : 02/10/2003
Author : Frank Denis <j@pureftpd.org>

------------------------[ Description ]------------------------

The issue described here doesn't reveal a vulnerability in a specific
product. But the combination of features of Internet Explorer with features
of common webmail software can create a vulnerability.

1) Internet Explorer interprets stylesheets for any HTML tag, even
non-existent ones. For instance :

<xbody style="...">

is not a valid tag, but attributes are evaluated.

It may be considered as a bug or as a logical behavior, your mileage may
vary. And this alone is not a security flaw.

2) Internet Explorer can evaluate Javascript expressions in style sheets
through the "expression" keyword :

<style type="text/css">
a {
width: expression(6 * 9 + 'px');

This is not a bug either, but a proprietary, properly documented extension.

3) Due to the increase of HTML-only email, most popular webmail software can
display HTML email. In this context, Javascript _must_ be removed from every
email. To achieve this result, various tricks are used by webmail software :

- Removal or mangling of <script> tags,

- Removal or mangling of "javascript:" urls.

- Removal or mangling of properties like "onmouseover".

------------------------[ Vulnerability ]------------------------

By combining 2) with 3) and if the webmail doesn't filter out stylesheets
nor the "expression" keyword, any Javascript contained in a message will be
executed as soon as the recipient will display it.

Some webmail software are aware of that issue for a while and they are
mangling or filtering any occurrence of "expression". However, the mangling
may not work when the name of the property is escaped (like "e\xpression")
as CSS permits. Or it may not work in the context of non-existent-because-
mangled tags. The former worked on Yahoo! until yesterday (the issue was
fixed quickly after being reported, they are nice and reactive guys).

But most software simply don't know about "expression". They are _not_
faulty, though. This is not a bug nor a vulnerability. "expression" is a
proprietary extension. Webmails don't have to know about every possible
implication of every proprietary extension of every version of every
browser out there.

However, when the following conditions are met, the Javascript is executed :

- "expression" keywords aren't filtered/mangled by the webmail software.

- The client software is Internet Explorer.

- Javascript isn't disabled in the client software. Unfortunately, a lot of
public webmail systems simply don't work when Javascript is disabled.

------------------------[ Impact ]------------------------

Depending on the webmail software, complete control of the client's session
may be possible. Private mail can be deleted or bounced to evil addresses,
cookies and session identifiers can be stolen, etc.

------------------------[ Proof of concept ]------------------------

Webmail software like to filter or mangle stylesheets. Some software
totally remove everything inside <head>...</head> tags. Some software
totally remove <body>...</body> tags (possibly killing style info by the way)
instead of converting them to something like <div>...</div>. Some software
totally remove <style>...</style> definitions but accept inline css.
This is bad, because it encourages people to send broken HTML 3 code
instead of well-formed, accessible XHTML documents.
The following HTML email tries to add workarounds for this kind of filters
in order to test whether the "expression" keyword that properly gets
evaluated on Internet Explorer. It currently works at least with IE 6 +
Squirrelmail, Yahoo! and the software of a dozen public and ISP webmail
services I have an account on.

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<title>Webmail test</title>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" />
<body style="width:&#x65;xpres\sion(alert(1))">
<style type="text/css">
h1 {
<h1 style="width:&#x65;xpression(alert(3))">...</h1>
<div id="just-for-fun">
<a href="&#x6A;avascript:window.open(document.location);"

------------------------[ Fix ]------------------------

For the end user, there are four ways to avoid this issue :

- Don't use Internet Explorer to connect to webmails.
- Disable Javascript.
- Configure the webmail to only display mails as plain text.
- Only connect to webmails when you are 100% sure the software it is
powered by completely filters or mangles "expression" keywords and hope that
software and the version won't change silently.

__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/

Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By