RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

[Ron Hornbaker]

Cool. I'd recommend putting that code block up in the "BeginIfHTMLMessage" part of the conditional, so that it's used only when message is, in fact, html. Otherwise, your plain-text links won't maintain their hyperlinks. Links to attachments, which are also part of the mailmessage variable, will likewise be gone from HTML messages, which is a pretty significant problem to this method.   -Ron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Harlan Young Sent: Tuesday, March 19, 2002 1:09 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Norm, Ron, and Others,  This Works wonderfully Thanks for the tip Ron     original code from readmail.html: 345:          <!--IMAIL.ElseBeginIfHTMLMessage--> 346:               <TD WIDTH="1%" BGCOLOR="#FFFFFF">&nbsp;</TD>  347:               <TD BORDER="0" WIDTH="99%" BGCOLOR="#FFFFFF" ALIGN="left"> 348:           <!--IMAIL.EndBeginIfHTMLMessage--> 349:        <!--IMAIL.MailMessageWithoutHeader-->       Replace:       <!--IMAIL.MailMessageWithoutHeader-->   With:          <form action="" method="post" name="formName" style="visibility:hidden;">         <textarea name="MailMessage" rows="1" cols="1"><!--IMAIL.MailMessageWithoutHeader--></textarea>        </form>        <script language=JavaScript><!--          var re = /<(.|\n)+?>/gi;          document.writeln('<pre>');          document.writeln(document.formName.MailMessage.value.replace(re,''));          document.writeln('</pre>');        //--></script>     Works on IE & NS  Tested down to versions 4 and up to 6 for both browsers.   Won't work for Opera and I am not sure about AOL   [EMAIL PROTECTED]     -----Original Message----- From: Harlan Young [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 1:59 PM To: !Jonathan Subject: Fw: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...   ----- Original Message ----- From: Norman J. Nolasco To: [EMAIL PROTECTED] Sent: Monday, March 18, 2002 10:43 AM Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Here is the code I'm using to prevent this sort of thing from affecting my users.  It's ugly, but it's quick and it works for simple attemps at using this hack.   original code from readmail.html: 345:          <!--IMAIL.ElseBeginIfHTMLMessage--> 346:               <TD WIDTH="1%" BGCOLOR="#FFFFFF">&nbsp;</TD>  347:               <TD BORDER="0" WIDTH="99%" BGCOLOR="#FFFFFF" ALIGN="left"> 348:           <!--IMAIL.EndBeginIfHTMLMessage--> 349:        <!--IMAIL.MailMessageWithoutHeader-->       On line 349 of readmail.html (for default iMail template people), replace:   <!--IMAIL.MailMessageWithoutHeader-->   with:   <textarea style="width:100%;height:100%;"><!--IMAIL.MailMessageWithoutHeader--></textarea>   (Only works with IE 5+.  You're on your own with NS, but it shouldn't be too hard to figure out.) I tried a few other tags. "<!--IMAIL.MessageBodyPlain-->" doesn't work.   This will disable your users' ability to read HTML email, but will prevent this "hack" from compromising your usernames/passwords if you feel that this could affect you.  For those that missed the weekend thread, you can go to a test page I set up at:   http://209.16.59.28/test.asp   The test page generates an email with embedded javascript that redirects your users to a fake login page. Since session timeouts are a regular occurence, users can be fooled into thinking they have timed out and voluntarily give up their username/password to the fake login page on a different server.    As Ron H stated, this is really something that should be handled on the server-side.  (Thanks Ron for the <textarea> suggestion.  At least I can tell my clients that something is in place, even if it's not 100% secure.)  Keep in mind that the code I've provided above can be easily defeated by simply sending an HTML encoded email that starts with "</textarea>".  The overhead of scrubbing messages on the client-side would really make reading email a tedious task.  Instead of emails being processed on receipt, they would have to be processed every time you decide to read the message.   Finally, I've noticed that the hit counter on the test page is now up to 282, but there aren't many messages in this thread.  It's beginning to look like: 1) People are trying it, but don't want anyone to know they have this security hole. 2) Someone is spamming someone else with test emails. 3) Some 12 year olds on Spring Break are trying to get into their friends email accounts.   So, I'm taking down the script tonight.  If you'd like the ASP/HTML source code to test on your own servers, let me know.   -Norm   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker Sent: Sunday, March 17, 2002 2:09 AM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Norm,   We've got a JavaScript tag stripper function at http://hksi.net/tagstripper.htm that might come in handy if you're trying to fix this client-side. Loading the message body into a hidden or very small <textarea> tag, then dynamically writing a sanitized version to another div with JS, might be possible. Good luck getting it to work with NS, however. ;)   -Ron ----- Original Message ----- From: Norman J. Nolasco To: [EMAIL PROTECTED] Sent: Tuesday, March 19, 2002 11:24 AM Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Couple reasons you probably won't see an update for a while: 1) To fix this properly, they would have to fix the server-side iwebmsg service, not the templates.   2) If a fix is issued, there's always someone who finds a way to one-up the fix with a new hack.  Taking ownership of this problem now would mean a substantial future resource allocation, (programmers, support, problems with upgrades, etc...).  Mucho dinero.   3) It doesn't keep people from sending or receiving email and there's no RFC spec (that I'm aware of) that suggests how to fix this problem.  So it isn't technically a critical/severe issue.   4) I think the code to scrub the messages might be fairly complex.  Also, it would definitely be useful to do selective scrubbing (trusted vs. untrusted email sources).  A proper fix isn't easy.  If IPSwitch does decide to put this on their to do list, I'd be surprised if it didn't take a while.  It would probably require a few new features and a new page or two.  More dinero.   5) There's probably going to be some overhead associated with this.  This would make iMail unattractive to those in the >10...00 account range.   6) I don't think this "wheel" is squeaky enough.   If IPSwitch does decide to fix this and does it quickly and correctly, I'd be extremely impressed. But I'm not expecting it and I'm still happy with the software.  For those that consider this issue a major problem, they'll just have to find some workaround in the interim... textareas, xml.   Historical perspective: Microsoft was able to fix this issue in 1998 in Hotmail (took them about 2 months).  In 1999, someone found a way to bypass the filter.  It was fixed about 2 weeks later.  They still have not issued new templates or a fix for Outlook Web Access that comes with Exchange 2000.  This problem still affected web-based email accounts from Excite, Yahoo, etc...  I'm not sure if/when they were fixed.   Almost 90-95% of all "secure" message boards that accept some form of HTML also can be compromised by this method.  Basically, most message boards, search engines, site directories, or whatever that accepts HTML as a feature can (in some way) be messed up by embedded javascript.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 18, 2002 10:07 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Since we know IpSwitch is monitoring, shouldn't they have issued updated templates by now ?