New XSS vulnerability in Microsoft Hotmail allows access to mailboxes
Summary:
Hotmail is one of the world's largest providers of free, Web-based e-mail.
Hotmail contains a XSS vulnerability which allows attackers to hijack
another user session, and access to her/his mailbox and other MSN
services. Unlike most XSS attacks, which require a user to click on a
tainted link, exploitation in this case only requires a Hotmail user to
view a malicious e-mail. Sending the e-mail from a forged e-mail address
affords a greater chance for successful exploitation.

Detail:
By sending the following HTML email it's possible to bypass Hotmail
securuity filters and run Javascript code on the client browser.
<xmp><IMG src='test.gif&</xmp><IMG onerror=alert(document.cookie)
src='><IMG src='><IMG src='test.gif&''''>

Analysis:
The idea behind the above HTML code is <XMP> and the single qoutes. Any
html elements between <xmp> tags are just printed to screen and ignored by
browser, so the first single qoute is ignored by the browser, but hotmail
filter thinks it's a valid single qoute for some kind of value. so hotmail
filter ignores the part of code between the first and second qoute, But
the client browser acts diffrently and run the Jscript code.

Running Jscript code gives the attacker the ability to steal the user
cookie. Once a user's Hotmail cookie has been stolen, an attacker has the
ability to gain full control over the user's account until the user logs
out or the session times out. (Hotmail's default setting is to never
timeout). During that time, an attacker could read, remove, and store all
e-mails, as well as send e-mails from the compromised account.

The ability to execute arbitrary Hotmail actions allows an attacker to set
any option that the targeted user could normally set under the Options
menu. This includes redirecting all e-mail to the deleted folder and
modifying the user's name or e-mail signature.

For further information on this class of attacks, refer to "The Evolution
of Cross-Site Scripting Attacks," an iDEFENSE White Paper available at .

Exploit:
In the lab we've developed a working exploit which downloads the Hotmail
INBOX of a user once he/she opens our email. A sample exploit is available
online. It just runs a very simple code of jscript once u open the email.
http://ce.aut.ac.ir/~niksefat/hotmail/hotmail-xss-test.php

Advisory:
The original text could be found here:
http://ce.aut.ac.ir/~niksefat/hotmail/hotmail-xss-report.html

Credits:
This vulnerability has been discovered by Salman
Niksefat(niksefat@ce.aut.ac.ir) BS student of computer engineering at the
university of Amirkabir(www.aut.ac.ir).