Home page logo

bugtraq logo Bugtraq mailing list archives

Re: 'cross site scripting' CERT advisory and MS
From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 11 Feb 2000 16:39:02 -0700

On Thu, 10 Feb 2000, David LeBlanc wrote:

After a bit of dinking in vi, I removed the HTML, AND got it properly
indented for response, so...

Mark Slemko wrote:

2. Do not use a mail reader that forces you to display HTML messages.
Using something like Outlook Express is very dangerous, since it
means that you can be exploited if an email message arrives in your
inbox and is displayed.

This is overkill.  The problem is scripting, not HTML, which are really
seperate issues.

NO!  NO!  NO!

I don't know how many times I have to say this: the problem is not just
with scripting languages.  Baming them there silly scripting languages is
missing the whole point.

Yes, most exploits would probably use scripting.  But that is simply
because scripting languages offer fairly complete control over a browser.
A lot of that control can be obtained just by injecting HTML or making

For example, suppose that a server sets a cookie that it then users later
to display information to the client.  Say you can store the javascript
within this cookie.  Then simply having you make a single request to the
server with the right URL could result in it setting a cookie that will
stick around when you come back later.  I have seen an example of this
(not sending it via email though) on a real, fairly major web page and it
is pretty convincing.  Even when you close your browser, if the cookie
sticks around (as it normally would), then going back to the site
"normally" later will still give you altered content.

Yes, for this example you can disable cookies when reading mail, and
should anyway for other reasons.  But what other ways are there to do
things?  I don't know.  I do know that things are complex enough that I'm
quite unwilling to say that disabling cookies and scripts will leave you
"safe".  While obviously following a link from an email, clicking on a
button, doing anything on a site that appears (ie. that the URL is
correct) to be a real site can be dangerous, that is a different issue.

Also note that if there is any way to get Outlook Express to open a new IE
window with a document in automatically when it loads an email, then you
would be vulnerable if you only disabled scripting, etc. for mail and not
for "normal" web access.  Is there a way to do this?  I don't know of any.
But again, things are complex enough that I'm quite unwilling to say there
is no way to do it.

So while disabling all the "features" that you can when reading HTML mail
is definitely recommended and protects you against a lot of attacks, it is
not a complete solution.  I seriously doubt that all the ways of
exploiting this issue without using scripting languages have been

Not that I have seen anyone publicly posting exploits that do things in
any of these ways (or any other way...), which I find odd, since there are
lots of vulnerable sites out there, and some vulnerabilities that are
pretty serious.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]