RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail webusers...

Sun, 17 Mar 2002 07:59:51 -0800

Great.  Now I feel like a doofus.  That's a simple way to at least load the message without it executing.  Obviously, there
are ways around it (like an email that starts off with a </textarea>), but at least I can kill most of the script kiddie attempts.
I'm still debating whether or not it's worth the time to scrub the messages or just kill HTML for now (yes, I'm now debating
with myself).  My templates are already slow loading as it is (not using HKSI or default templates... customer wanted
"Outlook"... go figure).  Screenshots at: http://209.16.59.28/screenshots.html
 
Thanks,
Norm
 
PS - I don't write _anything_ for NS.  I know that some people don't have this luxury, but I can fortunately control the
browser that my audience uses for this application.
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker
Sent: Sunday, March 17, 2002 2:09 AM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

Norm,
 
We've got a JavaScript tag stripper function at http://hksi.net/tagstripper.htm that might come in handy if you're trying to fix this client-side. Loading the message body into a hidden or very small <textarea> tag, then dynamically writing a sanitized version to another div with JS, might be possible. Good luck getting it to work with NS, however. ;)
 
-Ron
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco
Sent: Saturday, March 16, 2002 4:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

As the russians once said... "Many tanks."  That will keep users from being "locked out".  In addition to waiting
for IPSwitch to come up with some fix, I'm going to try loading <!--IMail.MailMessage--> into a CDATA field,
then use the template to read/parse the mail message.  This will prevent the browser from getting to the script
before I do.  The only problem is going to be the overhead to scrub the messages.
 
Your KWM templates rock, BTW.  The IMail tags are a dog to work with, but I'm glad they're there.
 
-Norm
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker
Sent: Saturday, March 16, 2002 3:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

Norm et. al.,
 
You can disable the automatic preview of messages in KillerWebMail by editing the msgsum.html file. Find this block of code at about line 369:
 
function myLoad(){
 // reset reload count, because user is obviously active
 parent.refreshCount=0
 if(parent.previewFrame){
 <!--IMAIL.BeginIfMsgCount.EQ 0-->
  parent.previewFrame.location.href="readfail.html?blank=yes"
 <!--IMAIL.ElseBeginIfMsgCount-->
  parent.previewFrame.location.href="rmail.<!--IMAIL.Number-->.cgi?mbx="+MailboxLink+"&msgsort="+z
  <!--IMAIL.EndBeginIfMsgCount-->
  }
}
 
and comment out the reload lines (changes shown in red... one of the few times I like html msgs to a list):
 
function myLoad(){
 // reset reload count, because user is obviously active
 parent.refreshCount=0
 if(parent.previewFrame){
 <!--IMAIL.BeginIfMsgCount.EQ 0-->
  //parent.previewFrame.location.href="readfail.html?blank=yes"
 <!--IMAIL.ElseBeginIfMsgCount-->
  //parent.previewFrame.location.href="rmail.<!--IMAIL.Number-->.cgi?mbx="+MailboxLink+"&msgsort="+z
  <!--IMAIL.EndBeginIfMsgCount-->
  }
}
 
Note that the only way to prevent this "hack" (embedded JavaScript commands) is for Ipswitch to rewrite the iwebmsg service so it parses-out all JavaScript from the message body before sending it to the browser.
 

Ron Hornbaker

 - http://humankindsystems.com - 2,586 admins can't be wrong
 - http://AnswerTrack.com - eCRM email tracking & routing
 - http://KillerWebMail.com - the name says it all
 - 1-888-952-4888 or [EMAIL PROTECTED]


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco
Sent: Saturday, March 16, 2002 3:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

Wow... it's a little worse in KWM.  I just tried a test on the [EMAIL PROTECTED] address.  Since
the preview for the first message in the Inbox comes up automatically, you can't even read your other
mail.  It just forwards you to the faux login page as soon as you login.  The only way to read the
rest of your mail is to send yourself another message (so the preview for the malicious email doesn't
automatically kick in).
 
Does anyone else see this as a problem or is there some easy setting that I'm not aware of to
neutralize this issue?
 
-Norm
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. Nolasco
Sent: Saturday, March 16, 2002 2:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

Hi again,
 
I put up a new version of the email generator at http://209.16.59.28/test.asp
 
It can now send the same type of email to KillerWebMail users, as well as
default template users.  Again, even if the login screen doesn't use the same
template, all a malicious user has to do is cut&paste the HTML off the login
page onto their own version.
 
Norman Nolasco
Advarion Incorporated
 

Reply via email to