exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

scip.msn.txt

scip.msn.txt
Posted Jul 23, 2003
Authored by Marc Ruef | Site scip.ch

scip Advisory 2003-01 - MSN search is a link directory moderated by Microsoft. It is possible to inject some scripting with a search query. An attacker could initiate scripting attacks as denial of service attempts or cookie stealing.

tags | advisory, denial of service
SHA-256 | c36c2de0aabf0ef9474193ad304fe9cc33e18af8c68c0026acae466d99f577a2

scip.msn.txt

Change Mirror Download
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

scip Advisory 2003-01

scip ID 186
Title MSN search results.aspx Cross Site Scripting
Affected MSN search results.aspx
Found 2003/07/17 12:25
Informed 2003/07/17 16:11
Fixed 2003/07/23 08:57
Published 2003/07/23
Severity critical
Remote yes
Local yes
Class Cross Site Scripting (XSS)
Credit Marc Ruef <maru@scip.ch>, scip AG, http://www.scip.ch
State Microsoft informed (secure@microsoft.com) and bug fixed
Description MSN search is a link directory moderated by Microsoft. It is

possible to inject some scripting with a search query. An
attacker could initiate scripting attacks as denial of
service attempts or cookie stealing. The script
dnserror.aspx
is not affected by this cross site scripting vulnerability.
Exploit http://search.msn.ch/results.aspx?srch=105&FORM=AS5&
q=%3cscript%3ealert('test')%3b%3c%2fscript%3etest
(URL is splitted into two parts; it doesn't work anymore)
Solution All scripting functions in the webbrowser that are not
needed
should be deactivated. Check all URLs for unexpected strings
(expecially "script") before following them. Some
application
gateways and intrusion detection systems are able to detect
such an attack.
Advisory http://www.scip.ch/publikationen/advisories/
2003-01-msn_search_cross_site_scripting/
scip_advisory_2003-01_msn_search_cross_site_scripting.txt
(URL is splitted into three parts)
scip VulDB http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=186
(description of the vulnerabilities are in german)
Additional Check the "Cross Site Scripting FAQ" by Cgisecurity.com at
http://www.cgisecurity.com/articles/xss-faq.shtml

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx429he5hzJzqVMhEQIlXACfa3MFe/NXzMOqcic/8D5OkW09trIAoO1s
P8ucJOnmjVSAgIJNmod5VOkt
=qMsi
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close